CVE-2022-24004

Name of the Vulnerable Software and Affected Versions REDCap version 12.0.11

Description A Stored Cross-Site Scripting issue was discovered in the messenger ajax.php file. This issue allows any authenticated user to inject arbitrary code into the new title field when editing an existing conversation. The payload executes in the browser of any conversation participant with the sidebar shown.

Recommendations For REDCap version 12.0.11, consider disabling the editing functionality of conversation titles until a patch is available to prevent exploitation of this issue. Restrict access to the messenger ajax.php file to minimize the risk of arbitrary code injection. Avoid using the new title field in the affected messenger functionality until the issue is resolved.