CVE-2024-56311

Name of the Vulnerable Software and Affected Versions REDCap versions 14.9.6 through 15.0.0

Description The issue is related to a security flaw in the Notes section of calendar events in REDCap, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into accessing a calendar event's notes, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

Recommendations For REDCap versions 14.9.6 through 15.0.0, consider disabling access to the Notes section of calendar events until a patch is available. Restricting the use of the logout functionality may also help minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.