CVE-2024-56376

Name of the Vulnerable Software and Affected Versions REDCap version 14.9.6

Description A stored cross-site scripting (XSS) vulnerability in the built-in messenger of REDCap allows authenticated users to inject malicious scripts into the message field. When a user clicks on the received message, the crafted payload is executed, potentially enabling the execution of arbitrary web scripts.

Recommendations For REDCap version 14.9.6, consider disabling the built-in messenger feature until a patch is available to prevent the injection of malicious scripts. Restrict access to the message field to minimize the risk of exploitation. Avoid using the built-in messenger for sensitive communications until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.