Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research

The security vulnerabilities, CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, could lay open proprietary and sensitive research to data thieves.

Dark Reading Staff, Dark Reading

July 31, 2024

1 Min Read
A man looking at a laptop screen depicting survey research
Source: Yuri Arcurs via Alamy Stock Photo

Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.

The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they "could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data," according to an advisory from Trustwave's SpiderLabs.

Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.

"Our researchers developed proof-of-concept exploits for each vulnerable location," the researchers wrote. "In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain."

The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victim's actions, manipulate the REDCap application, and even gain access to protected data.

It's recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws. 

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights