Cyber Resilience

CVE-2025-23113

Low

Published: 10 January 2025

Published
10 January 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score v3.1 3.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N
EPSS Score 0.0008 24.1th percentile
Risk Priority 7 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-23113 is a low-severity CSRF (CWE-352) vulnerability in Vanderbilt Redcap. Its CVSS base score is 3.4 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Access Removal (T1531); ranked at the 24.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-23113 is a Cross-Site Request Forgery (CSRF) vulnerability affecting REDCap version 14.9.6. The issue arises in the "action=myprojects&logout=1" endpoint during the upload of a CSV file containing alert configurations. Specifically, an attacker can embed an HTML injection payload in the "alert-title" field of the CSV. Upon upload, the victim is redirected to a page displaying the uploaded data, where clicking the malicious alert-title triggers the unprotected logout functionality. This stems from the lack of CSRF protections on the logout mechanism, classified under CWE-352 with a CVSS v3.1 base score of 3.4 (AV:N/AC:H/PR:N/UI:R/S:C/C:N/I:L/A:N).

An unauthenticated attacker (PR:N) can exploit this by sending a crafted CSV file to a targeted REDCap user via email or other means. The attack requires network access (AV:N), high complexity (AC:H) due to payload crafting, and user interaction (UI:R), as the victim must upload the file and subsequently click the injected alert-title. Successful exploitation changes the scope (S:C) and results in low integrity impact (I:L), either forcibly logging out the victim by terminating their session or redirecting them to a phishing site, potentially enabling session hijacking or credential theft.

Mitigation details are available in the research advisory at https://github.com/ping-oui-no/Vulnerability-Research-CVESS/blob/main/RedCap/CVE_XXX/README.md. No official patches or vendor advisories were referenced in the provided information.

EU & UK References

Vulnerability details

An issue was discovered in REDCap 14.9.6. It has an action=myprojects&logout=1 CSRF issue in the alert-title while performing an upload of a CSV file containing a list of alert configuration. An attacker can send the victim a CSV file containing…

more

an HTML injection payload in the alert-title. Once the victim uploads the file, he automatically lands on a page to view the uploaded data. If the victim click on the alert-title value, it can trigger a logout request and terminates their session, or redirect to a phishing website. This vulnerability stems from the absence of CSRF protections on the logout functionality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1531 Account Access Removal Impact
Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users.
Why these techniques?

CSRF on logout directly enables forced session termination (account access removal); phishing redirect is secondary and less direct.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-25967Shared CWE-352
CVE-2024-12386Shared CWE-352
CVE-2025-28931Shared CWE-352
CVE-2025-25121Shared CWE-352
CVE-2024-37102Shared CWE-352
CVE-2024-37450Shared CWE-352
CVE-2025-24001Shared CWE-352
CVE-2025-68434Shared CWE-352
CVE-2025-26578Shared CWE-352
CVE-2025-23558Shared CWE-352

Affected Assets

vanderbilt
redcap
14.9.6

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-23 requires session authenticity mechanisms like CSRF tokens to protect state-changing actions such as the unprotected logout endpoint from forged requests.

prevent

SI-10 enforces validation of information inputs like CSV alert-title fields to block malicious HTML injection payloads during upload.

prevent

SI-15 filters output of user-supplied data such as alert-title to prevent rendering of executable HTML links that trigger the CSRF logout.

References