Vulnerability Description
A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Vanderbilt | Redcap | < 11.4.0 |
Related Weaknesses (CWE)
References
- http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.htmlExploitThird Party AdvisoryVDB Entry
- https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdfRelease NotesThird Party Advisory
- https://www.project-redcap.org/Product
- http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.htmlExploitThird Party AdvisoryVDB Entry
- https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdfRelease NotesThird Party Advisory
- https://www.project-redcap.org/Product
FAQ
What is CVE-2021-42136?
CVE-2021-42136 is a vulnerability with a CVSS score of 9.0 (CRITICAL). A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing ...
How severe is CVE-2021-42136?
CVE-2021-42136 has been rated CRITICAL with a CVSS base score of 9.0/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2021-42136?
Check the references section above for vendor advisories and patch information. Affected products include: Vanderbilt Redcap.