CVE-2025-23113

Low CVSS: 3.4

An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.

Vendor

Vanderbilt

Product

Redcap

CWE

CWE-352

Yayın Tarihi

2025-01-10 22:15:28

Güncelleme

2025-02-25 16:11:55

Source Identifier

cve@mitre.org

KEV Date Added

Kategoriler

CWE-352 Redcap LOW Vanderbilt 2025

Referanslar

https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_XXX/README.md

Benzer Kayıtlar

Medium

CVE-2024-55374

REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts.

Medium

CVE-2024-37394

A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users…

Medium

CVE-2024-37395

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated us…

Medium

CVE-2024-37396

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users t…

Medium

CVE-2025-23110

An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject fiel…

Medium

CVE-2025-23111

An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redire…