CVE-2024-37396

MEDIUM

REDCap < 14.2.1 - Authenticated Stored Cross-Site Scripting in Calendar Notes Field

Title source: llm
STIX 2.1

Description

A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.

Scores

CVSS v3 5.4
EPSS 0.0034
EPSS Percentile 26.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (1)
vanderbilt/redcap < 14.2.1
Published Jun 10, 2025
Tracked Since Feb 18, 2026