CVE-2024-37395

A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Survey Title' and 'Survey Instructions' fields. This vulnerability could be exploited by attackers to execute malicious scripts when the survey is accessed through its public link. It is advised to update to version 14.2.1 or later to fix this issue.

CVSS

No CVSS.

References

Link	Resource
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/	Product
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/	Third Party Advisory Exploit
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/	Third Party Advisory Exploit
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

History

16 Jun 2025, 15:15

Type	Values Removed	Values Added
References	~~() https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt -~~	() https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt - Exploit, Third Party Advisory
References	~~() https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ -~~	() https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - Product
References	~~() https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/ -~~	() https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/ - Third Party Advisory, Exploit
CPE		cpe:2.3:a:vanderbilt:redcap::::::::
First Time		Vanderbilt Vanderbilt redcap

10 Jun 2025, 18:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-10 18:15

Updated : 2025-06-16 15:15

NVD link : CVE-2024-37395

Mitre link : CVE-2024-37395

JSON object : View

Products Affected

vanderbilt

redcap

CWE

No CWE.

JSON object

Attach tags to CVE-2024-37395

Attach tags to `CVE-2024-37395`