CVE-2024-37396
MEDIUMREDCap < 14.2.1 - Authenticated Stored Cross-Site Scripting in Calendar Notes Field
Title source: llmDescription
A stored cross-site scripting (XSS) vulnerability in the Calendar function of REDCap 13.1.9 allows authenticated users to execute arbitrary web script or HTML by injecting a crafted payload into the 'Notes' field of a calendar event. This could lead to the execution of malicious scripts when the event is viewed. Updating to version 14.2.1 or later is recommended to remediate this vulnerability.
References (3)
Core 3
Core References
Exploit, Third Party Advisory
https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/multiple-cross-site-scripting-xss-vulnerabilities-in-redcap-cve-2024-37394-cve-2024-37395-and-cve-2024-37396/
Exploit, Third Party Advisory
https://www.trustwave.com/hubfs/Web/Library/Advisories_txt/TWSL2024-003_XSS_REDCap_1.txt
Scores
CVSS v3
5.4
EPSS
0.0034
EPSS Percentile
26.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
vanderbilt/redcap
< 14.2.1
Published
Jun 10, 2025
Tracked Since
Feb 18, 2026