CVE-2022-42715 in REDCap
Summary
by MITRE • 10/12/2022
A reflected XSS vulnerability exists in REDCap before 12.04.18 in the Alerts & Notifications upload feature. A crafted CSV file will, when uploaded, trigger arbitrary JavaScript code execution.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 05/15/2025
The vulnerability CVE-2022-42715 represents a critical reflected cross-site scripting flaw within the REDCap research data management platform, specifically affecting versions prior to 12.04.18. This issue resides within the Alerts & Notifications upload functionality, which serves as a legitimate administrative feature for managing system notifications and alerts. The vulnerability stems from inadequate input validation and output sanitization mechanisms that fail to properly handle malicious payloads embedded within CSV files. When administrators or authorized users upload specially crafted CSV files through this interface, the system processes the data without sufficient sanitization, allowing malicious JavaScript code to be executed within the context of other users' browser sessions.
The technical exploitation of this vulnerability occurs through the manipulation of CSV file content that contains embedded JavaScript code within fields that are subsequently rendered in the web interface. This reflected XSS vector operates by leveraging the system's failure to properly escape or sanitize user-supplied data before it is displayed to end users. The vulnerability can be classified under CWE-79 as a failure to sanitize or incorrectly sanitize user supplied data, specifically within the context of web applications. When the malicious CSV file is processed and its contents are displayed in the Alerts & Notifications interface, the embedded JavaScript code executes in the victim's browser, potentially leading to session hijacking, data theft, or further exploitation of the compromised user's privileges.
The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to escalate privileges and gain unauthorized access to sensitive research data managed by REDCap. The vulnerability affects the integrity and confidentiality of research data repositories, particularly concerning the system's notification infrastructure which often contains sensitive information about study progress, user access, and system status. Attackers could potentially use this vulnerability to manipulate system alerts, redirect users to malicious websites, or execute commands on behalf of authenticated users. The attack requires minimal privileges to initiate, as the vulnerability exists within an administrative upload feature that may be accessible to users with limited administrative rights, making it particularly dangerous in environments where multiple researchers or staff members have access to the system.
Mitigation strategies for CVE-2022-42715 should focus on immediate patching to version 12.04.18 or later, which contains proper input validation and output sanitization mechanisms. Organizations should implement strict file validation policies that reject CSV files with suspicious content patterns and ensure that all user-supplied data undergoes comprehensive sanitization before being processed or displayed. Network segmentation and access controls should be strengthened to limit who can upload files to the Alerts & Notifications feature, while implementing proper monitoring for unusual upload activities. The vulnerability's classification under ATT&CK technique T1566.001 for "Phishing with Malicious File" highlights the importance of user education and awareness programs to prevent accidental exploitation. Additionally, organizations should conduct regular security assessments of web applications to identify similar input validation flaws and implement robust content security policies to prevent script execution in browser contexts where user-supplied data is rendered.