REDCap Cross-Site Request Forgery Vulnerability in Alert Title Handling

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in REDCap version 14.9.6. The issue arises when uploading a CSV file that includes a list of alert configurations. An attacker could craft a CSV file with an HTML injection payload in the alert title. Once the victim uploads this file, they are directed to a page displaying the uploaded data. If the victim clicks on the alert title, it can either trigger a logout request, terminating their session, or redirect them to a phishing website. This vulnerability exists due to the lack of CSRF protections on the logout functionality.

Impact

Exploitation of this vulnerability can lead to unauthorized session termination or potential phishing attacks.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.3

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

2.3

exploitability

6.4

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

REDCap Cross-Site Request Forgery Vulnerability in Alert Title Handling

Vulnerability

Impact

Affected Products

REDCap

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating