Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research

  /     /     /  
Publicated : 23/11/2024   Category : security


Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research


The security vulnerabilities, CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, could lay open proprietary and sensitive research to data thieves.



Researchers have discovered three cross-site scripting (XSS) vulnerabilities in Research Electronic Data Capture (REDCap), a Web application developed by Vanderbilt University and used for building and managing online surveys and databases for scientific and academic researchers.
The vulnerabilities are tracked as CVE-2024-37394, CVE-2024-37395, and CVE-2024-37396, and they could allow attackers to execute malicious JavaScript code in victims browsers, potentially compromising sensitive data, according to an advisory from Trustwaves SpiderLabs.
Researchers there identified the vulnerabilities in multiple locations within version 13.1.9 in REDCap, which is popular in universities and scientific institutions for managing studies that contain private, sensitive information. The vulnerable locations in the platform include calendar events, public surveys, and project dashboards.
Our researchers developed
proof-of-concept exploits
for each vulnerable location,
the researchers wrote
. In each case, they were able to inject a simple JavaScript payload that, when triggered, executes an alert displaying the document domain.
The vulnerabilities could allow threat actors to steal sensitive information, impersonate the victims actions, manipulate the REDCap application, and even gain access to protected data.
Its recommended that users update to REDCap version 14.2.1 or later, where Vanderbilt University has addressed these bugs, to mitigate these flaws. 

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Dangerous XSS Bugs in RedCAP Threaten Academic & Scientific Research