CyberSec.Space Logo
Back to CVE Browser

CVE-2021-42136

CRITICAL
9.0
CVSS Severity Score
EPSS Score0.0600%
EPSS Percentile12.67th
PublishedApr 13, 2022
Last ModifiedNov 21, 2024

Vulnerability Description

A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.

Affected Platforms (CPE)

πŸ“¦
Vanderbilt

Redcap

< 11.4.0

References & Advisories

πŸ”— http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html
πŸ”— https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
πŸ”— https://www.project-redcap.org/
πŸ”— http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html
πŸ”— https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
πŸ”— https://www.project-redcap.org/

Related Vulnerabilities

CVE-2013-461110.0

Multiple unspecified vulnerabilities in REDCap before 5.1.1 allow remote attackers to have an unknown impact via vectors involving...

CVE-2013-461010.0

Unspecified vulnerability in the Data Search utility in data-entry forms in REDCap before 5.0.3 and 5.1.x before 5.1.2 has unknown...

CVE-2020-267129.8

REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the additio...

CVE-2017-109618.8

REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components.