{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2024-56377", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-01-10T16:59:00.480Z", "dateReserved": "2024-12-22T00:00:00", "datePublished": "2025-01-09T00:00:00"}, "containers": {"cna": {"affected": [{"defaultStatus": "unknown", "product": "REDCap", "vendor": "Vanderbilt", "versions": [{"status": "affected", "version": "14.9.6", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-09T23:02:37.249Z"}, "references": [{"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*", "versionStartIncluding": "14.9.6", "versionEndIncluding": "14.9.6"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-10T16:58:33.284530Z", "id": "CVE-2024-56377", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-10T16:59:00.480Z"}}]}, "dataVersion": "5.1"}

{"dataType": "CVE_RECORD", "containers": {"cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "Vanderbilt", "product": "REDCap", "versions": [{"status": "affected", "version": "14.9.6", "versionType": "semver"}], "defaultStatus": "unknown"}], "references": [{"url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}, {"url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndIncluding": "14.9.6", "versionStartIncluding": "14.9.6"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-01-09T23:02:37.249Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-56377", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-10T16:58:33.284530Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2025-01-10T16:58:57.245Z"}}]}, "cveMetadata": {"cveId": "CVE-2024-56377", "state": "PUBLISHED", "dateUpdated": "2025-01-09T23:02:37.249Z", "dateReserved": "2024-12-22T00:00:00", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-01-09T00:00:00", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:vanderbilt:redcap:14.9.6:*:*:*:*:*:*:*", "matchCriteriaId": "9A7B89E2-F504-45AE-8AB3-D1E31B2DD5EF", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts."}, {"lang": "es", "value": "Una vulnerabilidad de Cross Site Scripting (XSS) almacenado en los t\u00edtulos de las encuestas de REDCap 14.9.6 permite a los usuarios autenticados inyectar secuencias de comandos maliciosas en el campo T\u00edtulo de la encuesta o en las Instrucciones de la encuesta. Cuando un usuario recibe una encuesta y hace clic en cualquier parte de la p\u00e1gina de la encuesta para ingresar datos, se ejecuta el payload manipulado (que se ha inyectado en todos los campos de la encuesta), lo que potencialmente permite la ejecuci\u00f3n de web scripts arbitrarios."}], "id": "CVE-2024-56377", "lastModified": "2025-01-16T21:10:25.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-01-09T23:15:08.173", "references": [{"source": "cve@mitre.org", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE-2024-56377/README.md"}, {"source": "cve@mitre.org", "tags": ["Release Notes"], "url": "https://www.evms.edu/research/resources_services/redcap/redcap_change_log/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}