CVE-2024-56313

Name of the Vulnerable Software and Affected Versions REDCap versions through 14.9.6

Description A stored cross-site scripting (XSS) vulnerability in the Calendar feature allows authenticated users to inject malicious scripts into the Notes field of a calendar event. When the event is viewed, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.

Recommendations For versions through 14.9.6, update to a version later than 14.9.6 to resolve the issue. As a temporary workaround, consider restricting access to the Calendar feature or disabling the ability to inject scripts into the Notes field until a patch is available. Avoid using the Notes field in the Calendar feature until the issue is resolved.