CVE-2025-23111
MEDIUMREDCap 14.9.6 - HTML Injection via Survey Field Name
Title source: llmDescription
An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.
References (1)
Core 1
Core References
Scores
CVSS v3
4.7
EPSS
0.0027
EPSS Percentile
18.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-79
Status
published
Products (1)
vanderbilt/redcap
14.9.6
Published
Jan 10, 2025
Tracked Since
Feb 18, 2026