CVE-2024-56377 MEDIUM

CVE-2024-56377

Vendor Vanderbilt

Product REDCap

Weakness CWE-79 · XSS

Published January 9, 2025

Last update January 10, 2025

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction Required

Confidentiality Low

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.

Key dates

02Disclosure timeline

January 9, 2025 CVE published

January 10, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2024-56377

Related vulnerabilities

04Related CVE

CVE-2026-24351 Stored XSS in PluXml CMS CVE-2026-49368 CVE-2024-4398 HTML5 Audio Player- Best WordPress Audio Player Plugin <= 2.2.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets CVE-2025-9371 Betheme <= 28.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'page_title' CVE-2025-3781 Raisely Donation Form <= 1.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via raisely_donation_form Shortcode