CVE-2025-23111

An issue was discovered in REDCap 14.9.6. It allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user that receives the survey into clicking on the field name, which redirects them to a phishing website. Thus, this allows malicious actions to be executed without user consent.

Published: Jan 10, 2025
Updated: May 4, 2025
CVE: CVE-2025-23111
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.1
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
vanderbilt / redcap	14.9.6	14.9.6.x

https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_YYYY/README.md

Vulnerability Database

289,697

CVE-2025-23111