Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research

Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.

The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they "could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data," according to an advisory from Trustwave's SpiderLabs.

Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.

"Our researchers developed proof-of-concept exploits for each vulnerable location," the researchers wrote. "In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain."

The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victim's actions, manipulate the REDCap application, and even gain access to protected data.

It's recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws.