CVE-2025-23111

MEDIUM

REDCap 14.9.6 - HTML Injection via Survey Field Name

Title source: llm
STIX 2.1

Description

An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.

Scores

CVSS v3 4.7
EPSS 0.0027
EPSS Percentile 18.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-79
Status published
Products (1)
vanderbilt/redcap 14.9.6
Published Jan 10, 2025
Tracked Since Feb 18, 2026