CVE-2021-42136

CRITICAL

Vanderbilt Redcap < 11.4.0 - XSS

Title source: rule

Description

A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality of REDCap before 11.4.0 allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.

Exploits (1)

exploitdb WORKING POC

by Kendrick Lam · textwebappsphp

https://www.exploit-db.com/exploits/50877

View Code ZIP pw:eip

References (3)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/166723/REDCap-Cross-Site-Scripting.html

[Release Notes, Third Party Advisory] https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf

[Product] https://www.project-redcap.org/

Scores

CVSS v3 9.0

EPSS 0.0176

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-79

Status published

Products (1)

vanderbilt/redcap < 11.4.0

Published Apr 13, 2022

Tracked Since Feb 18, 2026