CVE-2021-42136

Name of the Vulnerable Software and Affected Versions REDCap versions prior to 11.4.0

Description A stored Cross-Site Scripting (XSS) vulnerability in the Missing Data Codes functionality allows remote attackers to execute JavaScript code in the client's browser by storing said code as a Missing Data Code value. This can then be leveraged to execute a Cross-Site Request Forgery attack to escalate privileges to administrator.

Recommendations For versions prior to 11.4.0, update to version 11.4.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Missing Data Codes functionality to minimize the risk of exploitation. Avoid using the Missing Data Code value to store unvalidated user input until the issue is resolved.