Blog

CVE-2023-37798: Stored Cross-Site Scripting in Vanderbilt REDCap

Written by Admin | Sep 6, 2023 5:00:00 AM

Cyderes has discovered a stored cross-site scripting (XSS) vulnerability within Vanderbilt REDCap, a web application that allows users to create and manage online surveys for research purposes.

In early July 2023, Cyderes observed that version 13.1.35 and below of REDCap allows a remote authenticated user to inject arbitrary code via a project creation functionality for registered users to build surveys. For each created project, there is an editable title field that does not filter input, and this makes it possible to inject malicious JavaScript and HTML into the application.

In terms of impact, the above issue could potentially be exploited to redirect users to a website controlled by malicious actors, which may ultimately lead to credential harvesting or downloaded malware.

Keeping with industry best practices, Cyderes contacted Vanderbilt to disclose this identified vulnerability. Vanderbilt began remediation immediately and promptly released a patched version (13.8.0).

Figure 1: 13.8.0 version released with fixes

Disclosure Timeline for CVE-2023-37798

  • July 5, 2023: Cyderes discovered vulnerability
  • July 5, 2023: Cyderes informed vendor
  • July 5, 2023: Vendor acknowledged and started fixing the bug
  • July 6, 2023: Vendor informed Cyderes of fix release for July 7, 2023 (version: 13.1.37 LTS, 13.7.4 SR, 13.8.0 SR/new LTS version)
  • July 6, 2023: Cyderes submitted a CVE request
  • July 14, 2023: The CVE was assigned [on hold]
  • Sep 6, 2023: Cyderes published this blog post

Technical Details

Affected Component

Version: 13.1.35 and below

Vulnerable parameter: Project title

Proof of Concept

Example payload: <image/src/onerror=alert(‘vulnerable_To_XSS’)>

Figure 2: XSS payload

To execute the payload, simply click on the project title.

Figure 3: Payload execution

Recommendation

Any area of a web application that accepts and stores user input generally should not be trusted. Cyderes recommends taking appropriate measures to sanitize or encode data before being shown in a later browser response.

Credits

Special thanks to Michael Tomlinson for helping in the CVE request process.

By Mohit Kalsi

Mohit is a security consultant and pentester on the offensive security team at Cyderes. He has a keen interest in network and Active Directory pentesting, having journeyed through the realms of vulnerability management and walked the path of a SOC analyst in a past role. Passionate about cybersecurity, Mohit’s relentless curiosity not only keeps him synced with the latest threats and techniques; it drives him to approach security challenges from various angles to deliver effective solutions. 

If you’re looking to contact one of our thought leaders, bolster your cybersecurity program, or just have a question feel free to reach out to us.

Let’s Start a Conversation

For more cybersecurity tips, follow Cyderes on LinkedIn and Twitter.
View full post