Upgrade 13.7.9 LTS Detailed Features Changes List

Owned by Christopher Sorensen
Last updated: Jan 26, 2024
24 min read

New features: 

New Multi-Language Management workflow for adding new languages to projects, plus many other improvements.

  • Improved workflow and user interface for adding new languages to projects.

  • Project languages can now "subscribe" to system languages (i.e., any changes/additions to UI translations made in the Control Center will automatically be visible in projects).

  • Several new administrator options to control how new languages can be initialized in projects (independently allow/disallow initialization from system languages, language files, or from scratch). These (global) settings can be overruled on a project by project basis.

  • Editing/updating of existing languages has been redesigned and split into separate edit (rename, etc.) and update (sync with system languages or import translations from files) dialogs.

Change/improvement: CDIS-related tasks now use a new memory monitoring feature to improve system stability by preventing out-of-memory crashes, in which it actively tracks memory usage and stops long-running, memory-intensive background processes when the PHP thread’s memory usage approaches a predefined threshold (75% by default).

New features for Clinical Data Interoperability Services (CDIS): New additions to the CDIS Configuration page in the Control Center.

  • Custom Mapping: Institutions can now define their own mappings and specify additional LOINC codes for labs and vitals.

  • Metadata Download: Users can download CSV files containing metadata for mapping FHIR data to REDCap's fields. Metadata files are available for DSTU2 and R4 versions.

  • Custom FHIR Authentication Parameters: This new feature enables administrators to define custom HTML query parameters for the SMART on FHIR authentication process. By allowing institutions to specify key-value pairs along with context information, such as "standalone launch," "EHR launch," and "always," this enhancement provides increased flexibility during authentication. The user interface facilitates the specification of multiple entries, thus granting administrators greater control over the authentication process.

Detailed Change Log:

Version 13.7.9 (released on 2023-08-03)

CHANGES IN THIS VERSION:

  • Bug fix: If a user has created a File Repository folder that is Data Access Group restricted or User Role restricted, and then a user deletes the DAG or User Role to which the folder is restricted, the folder would mistakenly be deleted, after which all of the files in the folder would be automatically moved into the main top-level folder in the File Repository. This has now been changed so that if a folder is restricted to a User Role, the folder will no longer be deleted when the User Role is deleted, but the folder and its files will remain as not restricted to any role. And if the folder is restricted to a DAG, users will simply be unable to delete the DAG until all its DAG-restricted folders are deleted first. (Ticket #210829)

  • Bug fix: If a user is utilizing the "Upload users (CSV)" method to update user privileges on the User Rights page, in which a user is being assigned to a Data Access Group or is being removed from a DAG, the upload process would mistakenly not log the DAG assignment/removal on the Logging page. (Ticket #210831)

  • Bug fix: If a longitudinal project is in production, a normal user with Project Design privileges on the "Designate Instruments for My Events" page could possibly remove an Instrument-Event mapping (i.e., uncheck a disabled checkbox in the mappings table), which they are not allowed to do to projects in production, if they know how to manipulate the webpage in specific ways and then click the Save button.

  • Bug fix: When using the Calendar Sync feature, calendar events that do not have a time specified (but only a date) might reflect an incorrect start time and end time in some external calendar applications. (Ticket #211137)

  • Bug fix: When using an HTML5 video tag in user input text (e.g., field labels, survey instructions), in which the tag contains the "controls" attribute, the attribute would mistakenly be renamed to "cremoved" in the resulting HTML. (Ticket #211141)

  • Bug fix: For CDIS, fixed issues related to properly handling the absence of a valid FHIR access token, such as FHIR logs being saved with a “wrong format” error and also scenarios where the absence of a user ID caused unexpected behavior.

  • Bug fix: When using Multi-Language Management and exporting general settings as a file, the data entry form and survey active states would mistakenly be swapped in the export file. (Ticket #211172)

  • Bug fix: When a user is using the User Access Dashboard to delete or expire a user's access in a project, in some cases the action would mistakenly not get logged on the project's Logging page (although the action would be logged in the redcap_log_event database table, which might not be used by the project, thus making the logged event not accessible on the project's Logging page).

  • Bug fix: When using Missing Data Codes in a project, in which a Text field with field validation has the @nomissing action tag, users would be able to manually hand-enter Missing Data Codes into the Text field, even though the value entered failed the field validation.

  • Bug fix: When performing a data import that contains blank values for a Slider field, in which the import is set to allow blank values to overwrite existing saved values, the import process would mistakenly return an error message saying that the value must be an integer. It should instead not return any error message in this situation. (Ticket #211075)

  • Bug fix: When a user has an apostrophe in their username, and the user goes to create a new project, they may not be able to access the project they just created. (Ticket #210832)

  • Bug fix: The act of creating or editing an alert on the Alerts & Notifications page would get logged on the Logging page. However, the Logging page would represent the alert's "trigger_on_instrument_save_status" attribute incorrectly, displaying "any_status" when the alert is set to be triggered when an instrument is saved with Complete status only and as "complete_status_only" when set to be triggered on any form status. Note: The alert itself would be saved correctly, but the logged event for creating/editing the alert would merely be inaccurate. (Ticket #210832)

  • Bug fix: In some cases when an external module is being used, a fatal PHP error might occur for certain PHP versions. (Ticket #211611)

  • Bug fix: When a field variable is being piped or used in logic, and the field is prepended with the Smart Variable [first-event-name] or [last-event-name], in which the current context is a different instrument on which the field itself is located, the event field pair might result in a blank value or an incorrect value. (Ticket #210930)

Version 13.7.8 (released on 2023-07-28)

CHANGES IN THIS VERSION:

  • Bug fix: When using Twilio, it would mistakenly not send SMS messages to U.S. phone numbers with an 934 area code. (Ticket #90686b)

  • Bug fix: If the system-level setting "ENABLE FILE UPLOADING FOR THE FILE REPOSITORY MODULE" is set to "disabled", users would still be able to upload files into the File Repository in any project. Bug emerged in REDCap 13.1.0. (Ticket #210765)

  • Bug fix: The documentation for using reports as filters in Smart Charts, Smart Tables, or Smart Functions was confusing and has been updated for clarity. It notes now that when referencing a unique report name in Smart Charts, Smart Tables, or Smart Functions, no other filtering parameters can be used (e.g., DAGs, events) with the report filter and thus any other filters will be ignored. If users wish to additionally filter by DAGs and/or events, it is recommended that they add such filtering to the report itself by editing the report. The wizard on the Project Dashboard page has also been updated to reflect this.

  • Bug fix: When using the @Wordlimit or @charlimit action tag on a Text field, the first field on the page that uses either action tag might have its "X characters remaining" label or "X words remaining" label, respectively, duplicated multiple times below the field itself. (Ticket #208658)

  • Bug fix: The example Perl code in the API Playground for making Curl calls was outdated and would not run successfully for some users.

  • Bug fix: When using MyCap in a project, a blank Menu might be displayed for participants when using the MyCap mobile app, specifically for iOS devices.

Version 13.7.7 (released on 2023-07-21)

CHANGES IN THIS VERSION:

  • Major bug fix: When a user has File Repository user privileges in a project with the e-Consent Framework enabled on one or more instruments, the user would mistakenly be able to download the e-Consent PDF files stored in the PDF Survey Archive folder in the File Repository, even when the user does not explicitly have "Full Data Set" data export rights for the given instrument. In order to download the e-Consent PDFs, the user should have "Full Data Set" data export rights for the given instrument. (Ticket #210214)

  • Bug fix: Some MyCap-related pages that deal with PROMIS instruments (auto-scoring and adaptive) might mistakenly crash due to a fatal PHP error when using PHP 8.

  • Bug fix: If the Online Designer displays an error icon next to a MyCap-enabled instrument, it would allow the user to click the icon and attempt to try to fix the errors when the project is in production mode; however, it would fail to fix it and just re-display the error. Instead, it will now inform the user that errors exist but that they must put the project in draft mode first before they can fix the errors. (Ticket #210179)

  • Bug fix: When using Duo two-factor authentication, if the system is set to "Offline", it would mistakenly prevent administrators from successfully logging in via Duo 2FA. (Ticket #202197)

  • Bug fix: When a user is updating a language on the Multi-Language Management setup page, some import settings, such as the "Keep existing translations" option, would mistakenly not be honored during the language update process. (Ticket #210395)

  • Bug fix: In longitudinal projects with multiple arms, certain actions (such as deleting a record, renaming a record, and others) would mistakenly execute SQL queries that were not structured correctly and thus might make the database server unnecessarily slow due to long query times.

  • Bug fix: When using certain action tags on a field where the value on the right side of the equal sign in the action tag definition is not wrapped in single quotes or double quotes and additionally other annotation text follows after the action tag in the Field Annotation text (e.g. @charlimit=8 More text here), the action tag might not be interpreted successfully and thus might not get enforced. (Ticket #210175)

  • Bug fix: If a survey is using a system-level theme or a user-saved custom theme, the theme colors would mistakenly not get preserved in the Project XML file if a user exports the Project XML file and then creates a new project with it. (Ticket #210371)

  • Bug fix: When using the Data Resolution Workflow feature, if a user executes Data Quality rule H, fields that have been marked as "Verified data value" would mistakenly appear in the list of discrepancies (they should not appear there by default) and would not appear as "verified" in the DQ popup. (Ticket #209447)

  • Bug fix: Using an [X-event-name] Smart Variable in combination with an [X-instance] Smart Variable in logic, calculations, or piping might cause the evaluation of the logic/calc/piping not to be performed successfully. (Ticket #208887)

  • Bug fix: When using the Clinical Data Pull, the EHR Launch process might mistakenly fail. (Ticket #210523)

  • Bug fix: The CDIS messaging feature might mistakenly display the phrase “invalid date” where the date/time of the message should be.

Version 13.7.6 (released on 2023-07-14)

CHANGES IN THIS VERSION:

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in the File Repository in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way inside the filename of an uploaded file. The user must be logged in to REDCap and also must have File Repository privileges in the project in order to exploit this. (Ticket #210134)

  • Bug fix: When an instrument has an embedded field that is immediately followed by a piped field or by another embedded field (with no space between them), the field/value might mistakenly not be rendered in the exported PDF of that instrument. (Ticket #210165)

  • Bug fix: A fatal PHP error might occur related to specific CDIS processes.

  • Bug fix: A fatal PHP error might occur related to CDIS when performing the Standalone launch inside REDCap. (Ticket #209840)

  • Bug fix: When viewing the PDF Survey Archive files for the e-Consent Framework in the File Repository, if the system-level e-Consent setting "Capture the IP address..." is set to "Do NOT capture IP address", the table header in the File Repository would mistakenly say "IP Address" instead of "Identifier (Name, DOB"). (Ticket #209302)

  • Bug fix: When using the Control Center page to update the database tables to support full Unicode, in some situations the resulting SQL might mistakenly contain a double comma, which would result in SQL errors and prevent the process from completing successfully. (Ticket #209856)

  • Bug fix: When using Multi-Language Management and using the Right to Left (RTL) setting when there are multiple choice fields with horizontal alignment, the choices might not always display correctly. (Ticket #209612)

  • Bug fix: When taking a survey while using a mobile device, the page would auto-scroll unnecessarily after completing a multiple choice field that has one or more visible fields embedded inside it. In this case, the page should not auto-scroll when the field contains embedded fields. (Ticket #208523)

  • Bug fix: When a user selects the option "Remove all date and datetime fields" when exporting data, or if that option is automatically imposed upon the user due to having De-Identified data export rights, survey completion timestamp fields would mistakenly not be removed from the resulting data export file. (Ticket #208758)

  • Bug fix: When a project is in Analysis/Cleanup status and the current user does not have Project Design & Setup privileges, the Project Home page and Project Setup page would mistakenly display a "Modify" button in the yellow section at the top of the page describing if users can modify records or not. This button should only be displayed for users with Design rights. Clicking the button would not actually change anything though, so this issue is more of an aesthetic issue that could cause confusion. (Ticket #107257)

  • Bug fix: If an unclosed HTML comment (i.e, "<!--" without quotes) exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), it would mistakenly cause the page content to be truncated, thus preventing the user from seeing any of the page after where the text is located. (Ticket #207897)

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: If the URL of another REDCap server exists in user-defined text that is displayed on the page (e.g., field label, survey instructions, a piped value from a Text field), the REDCap version number in the URL would mistakenly be replaced with the REDCap version number of the current server. It should never replace the REDCap version number in any URLs unless the URL corresponds to the current REDCap server. (Ticket #208528)

  • Bug fix: When using Twilio or Mosio for a survey implemented as an SMS conversation, Yes/No fields and True/False fields would not have their field labels rendered correctly in the conversation. Instead of their field label, it would display "No" or "False", respectively. (Ticket #209624)

  • Bug fix/change: The @DOWNLOAD-COUNT action tag documentation has been updated for clarity to explain that if a field with @DOWNLOAD-COUNT also utilizes @inline or @INLINE-PREVIEW and displays an inline PDF that has been uploaded, if a user downloads the file via the inline PDF controls (which are generated by the browser and not by REDCap), the download will not get properly counted via @DOWNLOAD-COUNT. This is to clarify that @DOWNLOAD-COUNT only works when users/participants click the file download link on the page. (Ticket #208354)

  • Bug fix: If an administrator does not specifically have "Modify system configuration pages" admin rights, the date field on the Cron Jobs page in the Control Center would mistakenly be disabled.

  • Bug fix: If an inline image was added to text on an instrument via the rich text editor and then the project was later copied, the image would display correctly on the data entry form in the project copy, but it would mistakenly not display when viewing the instrument as a survey in the project copy.

  • Bug fix: In certain scenarios, a couple fatal PHP errors might occur on survey pages when using PHP 8. (Ticket #210196)

Version 13.7.5 (released on 2023-07-07)

CHANGES IN THIS VERSION:

  • Bug fix: On certain occasions, the Control Center and/or Configuration Check page might mistakenly display the warning that "Some non-versioned files are outdated", which might be incorrect and a false positive.

  • Bug fix: A fatal PHP error might occur when using Duo for two-factor authentication.

  • Bug fix: A fatal PHP error might occur when attempting to send emails via the Email Users page, thus preventing the emails from being sent.

  • Bug fix: A fatal PHP error might occur related to CDIS when performing the EHR launch of the REDCap window inside the EHR user interface.

Version 13.7.4 (released on 2023-07-07)

CHANGES IN THIS VERSION:

  • Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.

  • Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.

  • Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.

  • Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

  • Bug fix: After unsuspending a user on the Browse Users page on the "View User List By Criteria" tab, the "Display only X users" drop-down would mistakenly get reset. (Ticket #208937)

  • Various PHP 8 related bug fixes related to CDIS.

  • Bug fix: A new Clinical Data Mart background process would not be scheduled if the current one was taking too long to complete.

  • Bug fix: PHP 8 related fix for the Data Import Tool. (Ticket #208086)

  • Bug fix: When using Multi-Language Management with the e-Consent Framework, some text on the e-Consent confirmation screen at the end of the survey was mistakenly not translatable.

  • Bug fix: When using Multi-Language Management, the language switcher and globe menu would not work on survey return pages when the survey is set up to show a logo and the option to "Hide survey title on survey page when display logo" is turned on. (Ticket #208961)

  • Bug fix: When using Multi-Language Management on a survey where Google reCAPTCHA is enabled, the Google reCAPTCHA text would mistakenly not be translatable. (Ticket #208797)

  • Bug fix: PHP 8 related issue on certain MyCap pages in project. (Ticket #208688)

  • Bug fix: In some situations, the survey page might mistakenly throw a fatal PHP error for PHP 8. (Ticket #208147)

Version 13.1.37 (released on 2023-07-07)

CHANGES IN THIS VERSION:

  • Critical security fix: A Blind SQL Injection vulnerability was found on data entry forms and survey pages, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This bug affects all known REDCap versions.

  • Critical security fix: A PHP Deserialization Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating an HTTP request to a specific CDIS-related page while manipulating a certain CDIS-related cookie in a specific way. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. This vulnerability exists in REDCap 13.0.1 and higher.

  • Critical security fix: A Blind SQL Injection vulnerability was found when calling certain API methods, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by entering specially-crafted data into a Text field, changing the field to a File Upload field, and then calling the Delete File or Import File API method. This bug affects all known REDCap versions.

  • Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

Version 13.7.3 (released on 2023-06-28)

CHANGES IN THIS VERSION:

  • New LTS branch based off of REDCap 13.7.2 (Standard)

Version 13.1.36 (released on 2023-06-23)

CHANGES IN THIS VERSION:

  • Bug fix: The "Design Checker" for the Clinical Data Mart might mistakenly fail with an error when attempting to fix the structure of a CDM project. (Ticket #207348)

  • Bug fix: PHP 8 related fixes for CDIS functionality.

  • Bug fix: When exporting a Project Dashboard as a PDF, some parts of the page that should not be included in the PDF were included.

  • Bug fix: More compatibility fixes when using Epic Hyperdrive for CDIS in the context of EHR launches.

  • Bug fix: Related to CDIS, unnecessary steps were removed for the Smart on FHIR OAuth2 process.

Version 13.1.35 (released on 2023-06-08)

CHANGES IN THIS VERSION:

  • Bug fix: MyCap push notifications might mistakenly not work when using a proxy for the REDCap web server. (Ticket #207578)

  • Bug fix: When using Multi-Language Management, the “:value” piping modifier would not mistakenly not work when performing piping on MLM-enabled forms and surveys. (Ticket #207629)

  • Bug fix: When using date-based or time-based [survey-X] Smart Variables in conjunction with a [X-instance] Smart Variable while also using the ":value" modifier (e.g., [survey-time-completed:my_survey:value][last-instance]), a blank value might mistakenly be returned instead of the expected value. (Ticket #206098b)

  • Bug fix: When using the Copy Project feature and selecting to copy the reports in a project, the resulting new project's reports would mistakenly not have the same unique report names. The unique report names of the new project should be exactly the same as the original project. (Ticket #207248)

  • Bug fix: When piping a data value into the choice label of a multiple choice field on a repeating instrument, the correct data value might mistakenly not get piped correctly when viewing the choice label on a report or in a CSV Labels data export. (Ticket #207193)

  • Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (#206585b)

  • Bug fix: When importing and exporting user rights or user roles via CSV files on the User Rights page, some user privilege categories (e.g. Alerts & Notifications) might mistakenly not be found in the downloaded CSV user rights/roles files. (Ticket #206747, #207132)

  • Bug fix: When selecting files in the File Repository and clicking the Move button, the "folder" drop-down list in the dialog would mistakenly display folders that have been deleted. (Ticket #207763)

  • Bug fix: When viewing multi-page inline PDFs on the e-Consent certification screen on surveys when using certain devices, such as iPads, only the first page of the PDF might be viewable on the webpage. An option is now displayed near the bottom of the e-Consent certification screen on surveys to allow the participant to download and view the PDF in another browser tab if they are using a device that does not support multi-page inline PDFs. (Ticket #205407)

  • Bug fix: When exporting a project or project data as CDISC ODM/Project XML, a fatal PHP error might occur when using PHP 8. (Ticket #78389)

  • Bug fix: When using Multi-Language Management, the error dialog displayed when a user enters an invalid choice for an auto-complete drop-down field was mistakenly not available for translation on the MLM setup page. (Ticket #207825)

  • Bug fix: When using CDIS, the project menu was not hidden in an EHR launch context.

  • Bug fix: When downloading a PDF of an instrument that contains a Descriptive Text field with an inline PDF attachment, in certain cases the inline PDF might overlap the next field below it when instead it should begin a new page right after the inline PDF. (Ticket #206391)

  • Bug fix: Piping Smart Variables or field variables into the Data Entry Trigger URL would mistakenly cause "span" HTML tags to be inserted into the URL.

Version 13.1.34 (released on 2023-06-02)

CHANGES IN THIS VERSION:

  • Bug fix: If a user does not have "Add/Edit/Organize Reports" privileges, "Report B" would mistakenly not appear for them on the "My Reports & Exports" page. (Ticket #206987)

  • Bug fix: A non-existent CDP-related CSS file would get called on the Online Designer page and thus would throw a silent 404 error in the browser console. (Ticket #207222)

  • Bug fix: When re-evaluating Alerts & Notifications, in which one or more alerts are recurring, the process might report an incorrect number of alerts that were removed/unscheduled during re-evaluation as a result of the alert's conditional logic no longer being True. This does not affect any behavior but only the count of alerts that were removed/unscheduled during the re-eval process. (Ticket #206980)

  • Bug fix: Data entry forms and survey pages might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207349)

  • Bug fix: On the MyCap-enabled project, the Online Designer might mistakenly crash due to a fatal PHP error in very specific scenarios when using PHP 8. (Ticket #207381)

  • Bug fix: In certain places throughout REDCap where the Logic Editor is used, when modifying the text in the editor, an error might appear saying "Odd number of single quotes exist" (or something similar) when apostrophes, quotes, parentheses, and some other characters are utilized in an "inline comment" (beginning with // or #) in the editor. (Ticket #207092)

  • Bug fix: When copying the MyCap generated invitation text, which would contain a REDCap version number in the URL of the QR code image, and pasting it onto a webpage in REDCap, such as in the survey completion text or in a field label, the QR code would mistakenly fail to load on the page if that older version of REDCap had been removed from the web server.

Version 13.1.33 (released on 2023-05-25)

CHANGES IN THIS VERSION:

  • Minor security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks.

  • Major bug fix: If a REDCap user knows the report_id of a report from another REDCap project to which they do not have access, they could manipulate the URL of a report in one of their own projects by replacing the report_id in the URL with the other project's report_id and thus be able to view (but not export) all the data from the other project's report. Note: The user would not be able to access anything else from that other project though. Additionally, the user must be logged in and must have access to at least one project in order to exploit this issue. Bug emerged in REDCap 12.2.0. (Ticket #206894)

  • Bug fix: When using the Calendar Sync feature, the calendar feed or export might mistakenly be off by one hour for cities in specific time zones. (Ticket #204252, #206585)

  • Bug fix: If a field has been piped into the min or max validation range of a Text field, in which the piped field does not have a saved value yet, a user attempting to import data will mistakenly get an error stating that the field "should not be greater than the field maximum" or "less than the field minimum", which would thus prevent the user from importing the data. (Ticket #203219)

  • Bug fix: When a user attempts to place a production project into draft mode, it might mistakenly just reload the same page with no changes, thus preventing the project from being put in draft mode. This often occurs when multiple users are changing things in the Online Designer near the same time while in production. (Ticket #6346b)

  • Bug fix: Some project-level features in the Additional Customizations popup were mistakenly not being added to the Project XML file when exporting->importing a project. These include the following features: Enable the Data History popup, Display the Today/Now button, Prevent branching logic from hiding fields that have values, and Require a 'reason' when making changes to existing records. (Ticket #206575)

  • Bug fix: When uploading an Instrument Zip file that contains survey settings, in which the survey theme of the survey does not exist on the current REDCap server, the upload would hang and never finish. Now, if the survey theme does not exist on the current REDCap server, the default survey theme will be used instead. (Ticket #206167)

  • Bug fix: When viewing the REDCap Mobile App's "App Data Dumps" page and clicking the "Import Data from File" button for a specific data dump file, it would mistakenly throw a fatal PHP error on the page when using PHP 8. (Ticket #137777b)

  • Bug fix: Fixed compatibility issue when using Epic Hyperdrive for CDIS in the context of EHR launches. It addresses a known issue where the cookie samesite policy conflicts with Hyperdrive. By detecting the Hyperdrive user agent, REDCap disables the samesite policy, ensuring seamless integration and functionality.

  • Bug fix: CDIS-related processes might fail in specific cases due to PHP 8 incompatibility.

  • Bug fix: A missing LOINC code was added to the CDIS mapping features.

  • Bug fix: When deleting scheduled survey invitations on the Survey Invitation Log using the "Delete all selected" button, it might crash with a fatal PHP error if deleting only one participant at a time when using PHP 8.

Version 13.1.32 (released on 2023-05-19)

CHANGES IN THIS VERSION:

  • Major bug fix: When a participant completes the first page of a multi-page survey, it might mistakenly create a duplicate record that contains only the responses submitted on the first survey page. This does not affect single-page surveys. (Ticket #206613)

  • Major bug fix: When a participant clicks the “Save & Return Later” button on the first page of a multi-page public survey, and then returns to complete the survey later, it might mistakenly not update the original create but would instead create a duplicate record containing the values submitted on the last survey page. This does not affect single-page surveys. (Ticket #206623)

Version 13.1.31 (released on 2023-05-19)

CHANGES IN THIS VERSION:

  • Major bug fix: If a field is required and is embedded in the choice label of a multiple choice field on a multi-page survey, in which the field itself has branching logic and is also used in the branching logic or calculation of another field on a separate survey page, the field's value might mistakenly get erased when submitting a survey page where the field does not exist but where the field is used in a branching logic or calculation.

  • Bug fix: A JavaScript error would mistakenly get thrown on the survey page after clicking the Save button on a multi-page survey, which might cause some things not to work on the survey. (Ticket #206073)

  • Bug fix: If using Multi-Language Management, the translated choice labels for Yes/No and True/False fields would mistakenly not display correctly on the Codebook page. (Ticket #206001)

  • Bug fix: When using an [X-instance] Smart Variable with other survey-related Smart Variables while using PHP 8, it might cause a fatal PHP error if no repeating instances exist yet for the targeted repeating instrument/event. (Ticket #206098)

  • Bug fix: When creating or editing a report, pressing the Enter key while in any text input (e.g., the Value text box in Step 3) would mistakenly cause the "List of users with access" popup to display. (Ticket #204875)

  • Bug fix: When a non-REDCap user receives a Send-It download link via email for a REDCap installation that is using a directory-based authentication method (e.g., Shibboleth), the recipient would never be able to download the file because it would mistakenly always require them to log in as a REDCap user.

  • Bug fix: If using Multi-Language Management, the same field could mistakenly be embedded multiple times on the same page when embedded via MLM translations. (Ticket #206370)

  • Bug fix: If using Multi-Language Management, if a radio or checkbox field exists on an MLM-enabled survey that also has the Enhanced Choice survey option enabled, in which another field on the survey page is embedded inside one of that field’s choice labels, the field would not be successfully embedded on the page but would display an error message saying that that field has been embedded multiple times on the page, which is not true.

  • Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #206404)

  • Bug fix: If a survey has "Save & Return Later" enabled and allows participants to return without needing a return code, but it does not allow them to return if the survey has already been completed, then in certain circumstances after a participant completes a public survey in this case, in which they have a unique survey link back to their response (e.g., from an email), they would mistakenly be allowed to modify their completed response. (Ticket #206154)

Version 13.1.30 (released on 2023-05-11)

CHANGES IN THIS VERSION:

  • Major security fix: A Cross-site Scripting (XSS) vulnerability was discovered in a file download process in which a malicious user could potentially exploit it by inserting HTML/XML tags and/or JavaScript in a very specific way into an SVG file that is then uploaded into a File Upload field or as a Descriptive Text field attachment, and then having a logged-in REDCap user attempt to download that file using a specially crafted URL. This bug affects all versions of REDCap.

  • Medium security fix: A Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting HTML tags and/or JavaScript in a very specific way on many pages that output user-defined text onto a REDCap webpage. This bug affects all versions of REDCap.

  • Bug fix: When using MyCap, the MyCap “getStudyImages” API test would mistakenly fail if the project has been copied or created via Project XML upload, in which the images zip file was not getting stored in the back-end database.

  • Bug fix: When using Multi-Language Management, snapshots would be created for all projects when approving DRAFT mode, even when MLM was not in use (no languages). Now a snapshot is made only when MLM is active (not disabled) AND there is at least one language defined. Additionally, there was no automatic snapshot taken when projects are moved to production initially. Now a snapshot is taken automatically (same rules as for DRAFT).

  • Bug fix: When opening a data entry form or survey page in certain versions of iOS in Mobile Safari or in Internet Explorer, the page would never fully load due to a JavaScript error. This bug was supposedly fixed two versions earlier but mistakenly was not. (Ticket #202806b)

  • Bug fix: When utilizing the "Include PDF of completed survey as attachment" option in the Confirmation Email section on the Survey Settings page for a survey that is using the e-Consent Framework, the PDF consent form that is attached to the email would mistakenly not include the e-Consent Type in the filename of the PDF. It should have listed the e-Consent Type as part of the filename for the email attachment.

  • Bug fix: When performing randomization on a record, a JavaScript error might mistakenly occur, which would cause calculated fields on the current page not to be recalculated post-randomization. (Ticket #205428)

  • Bug fix: When using Multi-Language Management, the Survey Login page text might mistakenly not get translated. (Ticket #205427)

  • Bug fix: The DAG Switcher API method would mistakenly always return the message "ERROR: Invalid DAG" even when the API is being called correctly. Bug emerged in 13.1.27 LTS and 13.4.11 Standard. (Ticket #205557)

Version 13.1.29 (released on 2023-05-04)

CHANGES IN THIS VERSION:

  • Medium security fix: A Blind SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit this, the user must be logged in as a REDCap user and must also have one or more instruments enabled as MyCap tasks. (Ticket #205078)

  • Medium security fix: A vulnerability was found in the "Save & Return Later" feature on survey pages, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would allow them to email themselves the private survey link of another survey participant. If return codes are not required to return to the survey, using brute force methods the attacker might be able to view sensitive data that survey participants have entered. However, if return codes are required, then the attacker will not be able to view any survey responses. (Ticket #205081)

  • Major bug fix: When using Multi-Language Management and saving MLM translations on the MLM setup page, all Action Tag translations and all choice label translations for multiple choice fields would be permanently lost upon save. Bug emerged in the previous release. (Ticket #205076, #205146)

  • Bug fix: When downloading the Project XML file for a project, in some circumstances the process might fail with a fatal PHP error when using PHP 8. (Ticket #204965)

  • Bug fix: For CDIS-related FHIR calls specifically to Epic, the FHIR coding systems have been updated to reflect the Epic FEB23 update.