彙總 vanderbilt 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、SQL 注入與CSRF,在 軟體部署與生產負載 使用場景中可能帶來 工作階段劫持與資料外洩 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2024-55374 | REDCap 14.3.13 allows an attacker to enumerate usernames due to an observable discrepancy between login attempts. | [email protected] | 5.3 | 0.03% | 2026-01-02 | 2026-01-12 |
| CVE-2024-37396 | A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability. | [email protected] | 5.4 | 0.48% | 2025-06-10 | 2025-06-16 |
| CVE-2024-37395 | A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue. | [email protected] | 5.4 | 0.32% | 2025-06-10 | 2025-06-16 |
| CVE-2024-37394 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Dashboard title' and 'Dashboard content' text boxes. This can lead to the execution of malicious scripts when the dashboard is viewed. Users are recommended to update to version 14.2.1 or later to mitigate this vulnerability. | [email protected] | 5.4 | 0.48% | 2025-06-10 | 2025-06-16 |
| CVE-2025-23113 | An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or red | [email protected] | 3.4 | 0.05% | 2025-01-10 | 2025-02-25 |
| CVE-2025-23112 | An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Survey field name of Survey. When a user receive the survey, if he clicks on the field name, it triggers the XSS payload. | [email protected] | 6.1 | 0.18% | 2025-01-10 | 2025-02-25 |
| CVE-2025-23111 | An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent. | [email protected] | 4.7 | 0.08% | 2025-01-10 | 2025-02-25 |
| CVE-2025-23110 | An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of a CSV file containing a list of alert configurations. An attacker can send the victim a CSV file containing the XSS payload in the email-subject. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim clicks on the email-subject value, it triggers the XSS payload. | [email protected] | 6.1 | 0.17% | 2025-01-10 | 2025-02-25 |
| CVE-2024-56377 | A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts. | [email protected] | 5.4 | 0.16% | 2025-01-09 | 2025-01-16 |
| CVE-2024-56376 | A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | [email protected] | 5.4 | 0.16% | 2025-01-09 | 2025-01-16 |
| CVE-2024-56314 | A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | [email protected] | 5.4 | 0.27% | 2024-12-22 | 2025-04-22 |
| CVE-2024-56313 | A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | [email protected] | 5.4 | 0.15% | 2024-12-22 | 2025-04-22 |
| CVE-2024-56312 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts. | [email protected] | 5.4 | 0.27% | 2024-12-22 | 2025-04-22 |
| CVE-2024-56311 | REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | [email protected] | 8.8 | 0.19% | 2024-12-22 | 2025-04-22 |
| CVE-2024-56310 | REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. | [email protected] | 8.8 | 0.19% | 2024-12-22 | 2025-04-22 |
| CVE-2024-45527 | REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also be used to insert a link to an external phishing website. | [email protected] | 6.1 | 0.09% | 2024-09-02 | 2025-04-30 |
| CVE-2023-38825 | SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in MyCapMobileApp/update.php. | [email protected] | 6.5 | 0.07% | 2024-03-21 | 2025-03-05 |
| CVE-2023-37798 | A stored cross-site scripting (XSS) vulnerability in the new REDCap project creation function of Vanderbilt REDCap 13.1.35 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the project title parameter. | [email protected] | 5.4 | 0.08% | 2023-09-07 | 2024-11-21 |
| CVE-2023-37361 | REDCap 12.0.26 LTS and 12.3.2 Standard allows SQL Injection via scheduling, repeatforms, purpose, app_title, or randomization. | [email protected] | 2.7 | 0.05% | 2023-07-25 | 2024-11-21 |
| CVE-2022-42715 | A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution. | [email protected] | 6.1 | 0.46% | 2022-10-12 | 2025-05-15 |