CVE-2024-56310

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-56310
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap Exploit Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*
History

22 Apr 2025, 15:37

Type Values Removed Values Added
First Time Vanderbilt redcap
Vanderbilt
CPE cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*
References () https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap - () https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap - Exploit, Third Party Advisory
References () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - Product

19 Mar 2025, 14:15

Type Values Removed Values Added
CWE CWE-352
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8

14 Jan 2025, 17:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : unknown
CWE CWE-352

10 Jan 2025, 11:15

Type Values Removed Values Added
Summary (en) REDCap through 15.0.0 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. (en) REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

24 Dec 2024, 03:15

Type Values Removed Values Added
CWE CWE-352
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
Summary
  • (es) REDCap hasta la versión 15.0.0 tiene una falla de seguridad en el nombre de Project Dashboards, lo que expone a los usuarios a un ataque de Cross-Site Request Forgery (CSRF). Un atacante puede aprovechar esto al atraer a los usuarios para que hagan clic en un nombre de Project Dashboards que contenga la carga maliciosa, lo que desencadena una solicitud de cierre de sesión y finaliza su sesión. Esta vulnerabilidad se origina en la ausencia de protecciones CSRF en la funcionalidad de cierre de sesión, lo que permite que se ejecuten acciones maliciosas sin el consentimiento del usuario.

22 Dec 2024, 21:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-22 21:15

Updated : 2025-04-22 15:37

NVD link : CVE-2024-56310

Mitre link : CVE-2024-56310

CVE.ORG link : CVE-2024-56310

JSON object : View

Products Affected

vanderbilt

  • redcap
CWE
CWE-352

Cross-Site Request Forgery (CSRF)