Ralph El-khoury (Hacknowledge Lu)

7 exploits Active since Dec 2024
CVE-2024-56310 WRITEUP HIGH WRITEUP
REDCap < 14.9.6 - Cross-Site Request Forgery via Project Dashboards Name
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
CVSS 8.8
CVE-2024-56311 WRITEUP HIGH WRITEUP
REDCap < 14.9.6 - Cross-Site Request Forgery via Calendar Event Notes
REDCap through 14.9.6 has a security flaw in the Notes section of calendar events, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.
CVSS 8.8
CVE-2024-56312 WRITEUP MEDIUM WRITEUP
REDCap <= 14.9.6 - Authenticated Stored Cross-Site Scripting in Project Dashboard Name
A stored cross-site scripting (XSS) vulnerability in the Project Dashboard name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project Dashboard. When a user clicks on the project Dashboard name, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
CVSS 5.4
CVE-2024-56313 WRITEUP MEDIUM WRITEUP
REDCap <= 14.9.6 - Authenticated Stored Cross-Site Scripting in Calendar Notes Field
A stored cross-site scripting (XSS) vulnerability in the Calendar feature of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
CVSS 5.4
CVE-2024-56314 WRITEUP MEDIUM WRITEUP
REDCap <= 14.9.6 - Authenticated Stored Cross-Site Scripting in Project Name Field
A stored cross-site scripting (XSS) vulnerability in the Project name of REDCap through 14.9.6 allows authenticated users to inject malicious scripts into the name field of a Project. When a user clicks on the project name to access it, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
CVSS 5.4
CVE-2024-56376 WRITEUP MEDIUM WRITEUP
REDCap 14.9.6 - Authenticated Stored Cross-Site Scripting in Messenger Message Field
A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the message field. When a user click on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.
CVSS 5.4
CVE-2024-56377 WRITEUP MEDIUM WRITEUP
REDCap 14.9.6 - Authenticated Stored Cross-Site Scripting via Survey Title Field
A stored cross-site scripting (XSS) vulnerability in survey titles of REDCap 14.9.6 allows authenticated users to inject malicious scripts into the Survey Title field or Survey Instructions. When a user receives a survey and clicks anywhere on the survey page to enter data, the crafted payload (which has been injected into all survey fields) is executed, potentially enabling the execution of arbitrary web scripts.
CVSS 5.4