CVE-2024-56310

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-56310
REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

8.8 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap Exploit Third Party Advisory
https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*
History

22 Apr 2025, 15:37

Type Values Removed Values Added
References () https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap - () https://github.com/ping-oui-no/Vulnerability-Research-CVESS/tree/main/RedCap - Exploit, Third Party Advisory
References () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - () https://www.evms.edu/research/resources_services/redcap/redcap_change_log/ - Product
First Time Vanderbilt redcap
Vanderbilt
CPE cpe:2.3:a:vanderbilt:redcap:*:*:*:*:*:*:*:*

19 Mar 2025, 14:15

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 8.8
CWE CWE-352

14 Jan 2025, 17:15

Type Values Removed Values Added
CWE CWE-352
CVSS v2 : unknown
v3 : 8.8 		v2 : unknown
v3 : unknown

10 Jan 2025, 11:15

Type Values Removed Values Added
Summary (en) REDCap through 15.0.0 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent. (en) REDCap through 14.9.6 has a security flaw in the Project Dashboards name, exposing users to a Cross-Site Request Forgery (CSRF) attack. An attacker can exploit this by luring users into clicking on a Project Dashboards name that contains the malicious payload, which triggers a logout request and terminates their session. This vulnerability stems from the absence of CSRF protections on the logout functionality, allowing malicious actions to be executed without user consent.

24 Dec 2024, 03:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-22 21:15

Updated : 2025-04-22 15:37

NVD link : CVE-2024-56310

Mitre link : CVE-2024-56310

CVE.ORG link : CVE-2024-56310

JSON object : View

Products Affected

vanderbilt

  • redcap
CWE
CWE-352

Cross-Site Request Forgery (CSRF)