SpiderLabs Blog

Multiple Cross-Site Scripting (XSS) Vulnerabilities in REDCap (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396)

Written by Hamza Hussain | Jul 30, 2024 4:29:12 PM

Trustwave SpiderLabs uncovered multiple stored cross-site scripting (XSS) vulnerabilities (CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396) in REDCap (Research Electronic Data Capture), a widely used web application for building and managing online surveys and databases in research environments.

These vulnerabilities, if exploited, could allow attackers to execute malicious JavaScript code in victims' browsers, potentially compromising sensitive data.

 

About REDCap

REDCap, developed by Vanderbilt University, is a secure platform designed for data collection in research studies and operations. REDCap is popular among scientific institutions and universities that require strict compliance with government regulations and data privacy laws when conducting data collection for research purposes. It is particularly useful for managing studies that often contain sensitive or private information.

 

The Vulnerabilities

Trustwave's SpiderLabs team security researchers identified stored XSS vulnerabilities in multiple locations within REDCap version 13.1.9. These vulnerabilities allow authenticated users to inject malicious JavaScript code that executes when other users view the affected areas.

The vulnerable locations include:

  1. Calendar Events
  2. Public Surveys
  3. Project Dashboards

While the REDCap session cookie was found to have the "HttpOnly" attribute set during testing, these vulnerabilities could still pose significant risks to users and their data.

 

Proof of Concept

Our researchers developed proof-of-concept exploits for each vulnerable location. In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain.

The JavaScript payload were able to be entered into the following fields:

  • Calendar Events Notes
  • Public Survey Titles & Public Survey Instructions
  • Dashboard Titles & Dashboard Content

For example, the following payload was used:

```html
<a href="javascript&colon;alert(document.domain);">Click Me</a>
```

This payload, when inserted into various fields within REDCap, created clickable elements that would execute the malicious JavaScript when interacted with by users.

 

CVE Assignments

CVE-2024-37396

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Calendar Function

A stored cross-site scripting (XSS) vulnerability in the Calendar function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

CVE-2024-37395

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Public Survey

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML via injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

CVE-2024-37394

Stored Cross-Site Scripting (XSS) Vulnerability in REDCap Project Dashboards

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of Vanderbilt REDCap 13.1.9 allows authenticated users to execute arbitrary web scripts or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability.

 

Impact

These vulnerabilities could allow attackers to:

  • Steal sensitive information from users' browsers
  • Perform actions on behalf of the victim
  • Manipulate the appearance and functionality of the REDCap application
  • Potentially gain unauthorized access to protected data

 

Remediation

Vanderbilt University has addressed these vulnerabilities in REDCap version 14.2.1. We strongly recommend all REDCap users update to this version or later immediately.

 

Responsible Disclosure

Trustwave SpiderLabs reported these vulnerabilities to Vanderbilt University as part of our commitment to responsible disclosure. Our Responsible Disclosure policy is posted publicly here.

 

Conclusion

While REDCap undergoes regular security testing and has addressed numerous vulnerabilities over time, this discovery in version 13.1.9 demonstrates that even well-established software can harbor hidden security flaws. REDCap's history includes multiple CVEs, reflecting both the attention it receives from security researchers and its development team's commitment to addressing identified issues.

This case reminds us that security is an ongoing process, not a one-time achievement. For organizations using REDCap, especially those handling sensitive research data, this underscores the importance of staying current with the latest software versions, conducting continuous security assessments, and implementing additional security layers.

We encourage all REDCap users to update to the latest secure version and maintain vigilance in their overall security posture, including regular audits, proper configuration, and user education about potential risks.

 

References

TWSL2024-003: Stored Cross-Site Scripting in Multiple REDCap Locations