CVE-2022-42715

A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.

Published: Oct 12, 2022
Updated: Apr 14, 2023
CVE: CVE-2022-42715
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
vanderbilt / redcap	12.5.0	12.5.11
vanderbilt / redcap	-	12.4.18

https://github.com/uclahs-secops/security-research/tree/main/reports/20221011-recap-xss
https://redcap.med.usc.edu/_shib/assets/ChangeLog_Standard.pdf
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/

Vulnerability Database

289,697

CVE-2022-42715