CVE-2025-23111

Name of the Vulnerable Software and Affected Versions REDCap version 14.9.6

Description An issue was discovered that allows HTML Injection via the Survey field name, exposing users to a redirection to a phishing website. An attacker can exploit this to trick the user into clicking on the field name, which redirects them to a phishing website, allowing malicious actions to be executed without user consent.

Recommendations For REDCap version 14.9.6, consider disabling the Survey field name feature until a patch is available to prevent HTML Injection attacks. Restrict access to the Survey module to minimize the risk of exploitation. Avoid using the Survey field name in the affected REDCap version until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.