CVE-2019-13029

MEDIUM

REDCap 8.0-8.10.2 - Stored Cross-Site Scripting in Admin Panel and Survey System

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-13029. PoCs published by Alexandre ZANNI.

AI-analyzed exploit summary This exploit demonstrates multiple stored XSS vulnerabilities in REDCap versions before 9.1.2 and 8.10.2. The PoC includes payloads for various attack vectors such as project names, calendar events, CSV uploads, survey queues, and survey management.

Description

Multiple stored Cross-site scripting (XSS) issues in the admin panel and survey system in REDCap 8 before 8.10.20 and 9 before 9.1.2 allow an attacker to inject arbitrary malicious HTML or JavaScript code into a user's web browser.

Exploits (1)

exploitdb WORKING POC
by Alexandre ZANNI · textwebappsphp
https://www.exploit-db.com/exploits/47146

This exploit demonstrates multiple stored XSS vulnerabilities in REDCap versions before 9.1.2 and 8.10.2. The PoC includes payloads for various attack vectors such as project names, calendar events, CSV uploads, survey queues, and survey management.

Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: REDCap < 9.1.2 and < 8.10.2
Auth required
Prerequisites: Admin privileges to store the XSS payloads
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Scores

CVSS v3 4.8
EPSS 0.0247
EPSS Percentile 82.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
vanderbilt/redcap 8.0 - 8.10.2
Published Jul 11, 2019
Tracked Since Feb 18, 2026