Vanderbilt Redcap
41 CVEs affecting Vanderbilt Redcap. Latest disclosed: 2026-01-02. Critical: 2, High: 5.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2020-26712 | Critical | 9.8 | 2021-01-12 | REDCap 10.3.4 contains a SQL injection vulnerability in the ToDoList function via sort parameter. The application uses the addition of a string of information… |
CVE-2021-42136 | Critical | 9.0 | 2022-04-13 | A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript… |
CVE-2024-56311 | High | 8.8 | 2024-12-22 | REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker ca… |
CVE-2024-56310 | High | 8.8 | 2024-12-22 | REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit… |
CVE-2017-7351 | High | 8.8 | 2018-02-08 | A SQL injection issue exists in a file upload handler in REDCap 7.x before 7.0.11 via a trailing substring to SendITController:upload. |
CVE-2017-10961 | High | 8.8 | 2017-07-18 | REDCap before 7.5.1 has CSRF in the deletion feature of the File Repository and File Upload components. |
CVE-2019-14937 | High | 7.5 | 2019-08-17 | REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_po… |
CVE-2023-38825 | Medium | 6.5 | 2024-03-21 | SQL injection vulnerability in Vanderbilt REDCap before v.13.8.0 allows a remote attacker to obtain sensitive information via the password reset mechanism in M… |
CVE-2025-23112 | Medium | 6.1 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. A stored cross-site scripting (XSS) vulnerability allows authenticated users to inject malicious scripts into the Sur… |
CVE-2025-23110 | Medium | 6.1 | 2025-01-10 | An issue was discovered in REDCap 14.9.6. A Reflected cross-site scripting (XSS) vulnerability in the email-subject field exists while performing an upload of… |
CVE-2024-45527 | Medium | 6.1 | 2024-09-02 | REDCap 14.7.0 allows HTML injection via the project title of a New Project action. This can lead to resultant logout CSRF via index.php?logout=1, and can also… |
CVE-2022-42715 | Medium | 6.1 | 2022-10-12 | A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger ar… |
CVE-2020-26713 | Medium | 6.1 | 2021-01-12 | REDCap 10.3.4 contains a XSS vulnerability in the ToDoList function with parameter sort. The information submitted by the user is immediately returned in the r… |
CVE-2017-10962 | Medium | 6.1 | 2017-07-18 | REDCap before 7.5.1 has XSS via the query string. |
CVE-2024-37396 | Medium | 5.4 | 2025-06-10 | A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML… |
CVE-2024-37395 | Medium | 5.4 | 2025-06-10 | A stored cross-site scripting (XSS) vulnerability in the Public Survey function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or… |
CVE-2024-37394 | Medium | 5.4 | 2025-06-10 | A stored cross-site scripting (XSS) vulnerability in the Project Dashboards of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML… |
CVE-2024-56377 | Medium | 5.4 | 2025-01-09 | A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Titl… |
CVE-2024-56376 | Medium | 5.4 | 2025-01-09 | A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the me… |
CVE-2024-56314 | Medium | 5.4 | 2024-12-22 | A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the… |