CVE-2024-56312

low-risk

Published 2024-12-22

A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.

Do I need to act?

0.20% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Redcap

Affected Vendors

Vanderbilt

References (2)

Exploit https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap

Product https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal