Version 14.0.7 (released on 2024-01-11)
Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.
Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.
Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.
Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.
Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)
Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the "stack" status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.
Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.
Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)
Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)
Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)
Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)
Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)
Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is "Anonymous*", the Survey Queue's "Get link to my survey queue" popup would mistakenly display the participant's email address, thus breaking the participant's anonymity in the project. Going forward, it will no longer display the participant's email address in that popup in this situation. (Ticket #221804)
Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.
Version 14.0.6 (released on 2024-01-04)
...