Upgrade Version 15.0.10
- Christopher Sorensen
Upgrade scheduled for February 27, 2025
This upgrade is to the 15.0 Long Term Support (LTS) branch which means new features were included. WashU REDCap only upgrades to a new LTS version twice per year. This page lists all changes from the previous WashU REDCap version including bug and security fixes, improvements, and new features.
To see just the new features, see REDCap 15.0 LTS New Features
Version 15.0.10(released on 2025-02-06) |
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report), specifically targeting the "href" attribute of a hyperlink. This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions. |
Major security fix: An SQL Injection vulnerability was found on the User Rights page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way when adding new User Roles. This can only be exploited by authenticated users. Bug exists in REDCap 10.3.3 and higher. |
Minor security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating the URL of the Sponsor Dashboard page in a specially crafted manner. This could allow the attacker to view a sponsor's Sponsor Dashboard page (and view the names and emails of all their sponsees that they sponsor) and could allow the attacker to request actions on behalf of the sponsor, such as requesting that a sponsee's password be reset, that the sponsee be suspended, etc. Administrators should be allowed to view a sponsor's Sponsor Dashboard, but regular users should only be able to view their own Sponsor Dashboard. Note: This vulnerability is only exploitable if the User Sponsor functionality is being utilized in REDCap. (Ticket #249102) |
Major bug fix: When using the SFTP file storage option for any of the three features that stores files onto an external file server (e.g., e-Consent Framework, Record-level Locking Enhancement, and File Upload field enhancement), the process would mistakenly fail due to a fatal PHP error due to an underlying change in a third-party PHP library. Bug emerged in 15.0.8 (Standard) and 15.0.9 (LTS). (Ticket #248948) |
Bug fix: For CDIS, an incorrect CDP Dashboard link was displayed in CDM Projects. |
Bug fix: For CDIS, the Clinical Data Mart fetch process might fail silently due to a PHP warning. |
Bug fix: If a MyCap-enabled PROMIS instrument is part of a Health Measure battery, the instrument was not functioning in a series as repeating for selected events. |
Bug fix: The "Require reversal" setting for the "Spatial Memory" active task for MyCap should not have been displayed on the MyCap task settings page for that specific active task because it was never utilized on the MyCap mobile app side. |
Bug fix: When MLM is active on a form/survey that contains Smart Charts in translatable labels, the Smart Charts would get lost during rendering of the field translations. (Ticket #248576) |
Bug fix: When downloading a PDF of a survey instrument or when REDCap is storing a PDF Snapshot of a survey instrument, certain HTML tags (most notably BR tags) that exist in the survey instruction text might mistakenly get stripped out before being properly processed into line breaks, etc. for the PDF. Bug emerged in REDCap 14.5.0. (Ticket #243240b) |
Bug fix: When exporting an individual instrument's translations on the MLM setup page, the settings from the MLM export dialog were not properly observed. (Ticket #249036) |
Bug fix: When translating text via MLM for section headers and matrix headers, "line breaks" were not properly preserved when MLM is active on a form/survey. (Ticket #249027) |
Various CDIS-related bug fixes. |
|
Version 15.0.9(released on 2025-01-30) |
New LTS branch based off of REDCap 15.0.8 (Standard) Note: Please see the Standard Release ChangeLog for the full list of new features and changes released between the previous LTS and this new LTS branch. |
Version 14.5.42(released on 2025-01-30) |
Bug fix: A missing LOINC code was added to the CDIS mapping features. |
Bug fix: If survey invitations are scheduled via the Participant List, in which one or more invitation reminders are scheduled to be sent, the reminders might mistakenly not get automatically removed from the Survey Invitation Log after the survey had been completed. This would cause the reminders to be sent to the participant even after they had completed the survey. (Ticket #203090b) |
Bug fix: The column for the "Lock/Unlock Entire Records (record level)" user privilege was mistakenly missing from the user rights/roles table on the User Rights page in a project. |
Bug fix: The drag and drop implementation to move fields in the Online Designer prevented other drag and drop operations on the same page from working. |
Bug fix: The special function isnumber() would mistakenly return an incorrect response for numbers that begin with zero and a decimal (e.g., 0.2) and also returned an incorrect response for integers with leading zeros that being with plus or minus (e.g., +02), which are expected to return false from the function. Bug emerged in REDCap 14.5.37 LTS and 15.0.3 Standard. (Ticket #248368) |
Bug fix: Two-factor verification would mistakenly be successful for users who enter a 6-digit 2FA code with unnecessary leading zeros. (Ticket #248167) |
Bug fix: When using the EHR launch process in the Clinical Data Pull feature of CDIS, if a user authenticates for the first time, any initial action they attempt (e.g., adding or removing a project) would fail silently. |
Various CDIS-related bug fixes:
|
Version 14.5.41(released on 2025-01-26) |
Critical bug fix: When a project is in draft mode and an administrator approves their drafted changes, or if the user clicks Submit Changes for Review in the Online Designer where the changes are approved automatically, the process would mistakenly fail with a fatal PHP error. Bug emerged in the previous release. (Ticket #248136) |
Version 14.5.40(released on 2025-01-26) |
Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating the attributes of fields (e.g., field label) when viewing and saving fields on the Online Designer's field-view page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. Note: Only authenticated users are able to exploit this. This issue was supposedly fixed in REDCap 14.5.38 LTS and 15.0.4 Standard Release, but it was only partially fixed. This vulnerability exists in all versions of REDCap. |
Bug fix: Some text on the Calendar page in a project, specifically the Agenda tab, might mistakenly not be displaying as translated but would be in English if the project is set to use a different language. (Ticket #247305b) |
Bug fix: When using Multi-Language Management together with MyCap in a project that is in production status, the MyCap project config JSON that is consumed by the MyCap mobile app was mistakenly not getting updated when MLM changes were made on the MLM setup page. |
Version 14.5.39(released on 2025-01-24) |
Critical bug fix: Any survey pages or data entry forms that contain calculated fields would mistakenly crash and never load due to a fatal PHP error. |
Version 14.5.38(released on 2025-01-24) |
Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating any REDCap logic that is stored in a project (e.g., calculations, branching logic, data quality rule logic, report filter logic). Note: Only authenticated users are able to exploit this. This vulnerability exists in all versions of REDCap. |
Critical security fix: A Remote Code Execution vulnerability was found in which a malicious user who is logged in could potentially exploit it by manipulating the attributes of fields (e.g., field label) when viewing and saving fields on the Online Designer's field-view page. If successfully exploited, this could allow the attacker to remotely execute arbitrary code on the REDCap server. Note: Only authenticated users are able to exploit this. This vulnerability exists in all versions of REDCap. |
Version 14.5.37(released on 2025-01-23) |
Bug fix: In a MyCap-enabled project, a user clicking the "Messages" link for a participant on the MyCap Participant List page might mistakenly receive a "Missing/Invalid Participant" message. (Ticket #246982) |
Bug fix: In the Online Designer when editing a field that has field validation, in which the field has both min and max validation values, if the user changes the validation type and then puts their cursor into the min validation text box, they may get stuck in a never-ending validation error loop. (Ticket #247376) |
Bug fix: REDCap mistakenly did not allow dropping of text (e.g., from Word) into input elements in the Online Designer. |
Bug fix: The "deceased date/time" value of a patient whose data is pulled via CDIS might mistakenly contain a leading space, thus leading to field validation issues in CDIS projects when the data is being imported from the EHR. (Ticket #247705) |
Bug fix: The special function isnumber() would mistakenly return True when provided with a number with a leading zero (e.g., "02"). It now returns False for any text strings that are numbers with leading zeros. |
Bug fix: When a custom Record Status Dashboard is ordered by a project's record ID field in "Descending order", the dashboard will mistakenly not display the records in the correct order if the first instrument in the project is a repeating instrument or if it exists on a repeating event. (Ticket #247891) |
Bug fix: When using "Copy" option for the instrument-level "Choose action" button in the Online Designer, the instrument would fail to be copied and return a vague error message if a Text field on the instrument contains field validation that does not exist as a valid field validation type on the REDCap server. |
Bug fix: When using any "X & Table-based" authentication method together with Two-Factor Authentication enabled in REDCap, in which the "Enforce two-factor authentication ONLY for Table-based users" setting is set to "Yes" and the "Enable the Google/Microsoft Authenticator app option for 2FA" setting is enabled, the QR code and setup procedure information for setting up the Authenticator app would mistakenly be displayed to non-Table-based users, such as on the user's Profile page and immediately after verifying their primary email address. (Ticket #247942) |
Bug fix: When using the "Custom Surveys for Project Status Transitions" feature together with the Survey Base URL feature, the custom survey that is loaded in an iframe on the page for a Project Status Transition would load but might mistakenly fail to be submitted due to a cross-origin JavaScript security permission error. (Ticket #240644b) |
Bug fix: When viewing a survey that contains hyperlinks in the survey instructions, survey completion text, or in field labels that utilize the rich text editor, the hyperlink's text might mistakenly be locked at a specific font size and thus would look strange adjacent to other text. (Ticket #246917b) |
Version 14.5.36(released on 2025-01-17) |
Major bug fix: The upgrade process might fail to complete when executing the upgrade SQL script to upgrade to the previous version. (Ticket #247576) |
Version 14.5.35(released on 2025-01-16) |
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions. |
Major security fix: An Insecure Direct Object References (IDOR) vulnerability was found, in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially crafted manner when uploading files for File Upload fields on survey pages and data entry forms. This could allow the attacker to download any file that has been uploaded into the project, potentially containing sensitive/private information. The files that could be downloaded include those uploaded to File Upload fields, to the File Repository, or any other files that have been generally uploaded into the project in the past. Note: This vulnerability does not allow someone to download files from another project, but only files within the current project, such as files associated with a different record or a different field, event, or instance within the same record. |
Bug fix: A missing LOINC code was added to the CDIS mapping features. |
Bug fix: If a multiple choice field has one or more non-integer numeric codings (e.g., 0.5), in which the field is used in a calc or CALCTEXT field that utilizes mathematical addition (e.g., [field1]+[field2]), the resulting calculation might not always be mathematically correct in certain situations, such as if some fields used in the calculation have a blank/null value. (Ticket #246718) |
Bug fix: In certain MLM setup situations, the Survey Queue might fail to translate completely. |
Bug fix: In certain situations, the Submit buttons at the bottom of survey pages might mistakenly not be wide enough. Bug emerged in the previous release. |
Bug fix: Some text on the Scheduling and Calendar pages in a project might mistakenly not be displayed as translated but would be in English if the project is set to use a different language. (Ticket #247305) |
Bug fix: When performing a Data Search on the "Add/Edit Records" page, in which the search results include a match on a record's record ID/name while the first instrument in the project is not designated for certain events in a longitudinal project, the search results might mistakenly return a result pointing to an event where the first instrument is not designated, and thus the user clicking the search result would lead to an "Access Denied" error. It will now not output such search results in this specific case. (Ticket #247507, #247508) |
Bug fix: When performing a Data Search on the "Add/Edit Records" page, in which the search results include a match on a record's record ID/name while the user does not have view access to the first instrument in the project (where the record ID field is located), clicking the search result would mistakenly take the user to a form to which they do not have access, which would display an error message and could be confusing. It will now take the user to the Record Home Page for that record in this specific situation. (Ticket #247510) |
Bug fix: When renaming an instrument that is enabled as a survey via the "Choose action" button in the Online Designer, if the user enters a new instrument name that contains an apostrophe, then when REDCap asks if the user wants to also change the survey title to that value, the "Yes" button in the dialog would mistakenly do nothing due to a JavaScript error. (Ticket #247526) |
Bug fix: When using "Large" or "Very large" as the survey text size for a survey that has horizontally-aligned checkboxes, the first checkbox of a field would appear to be slightly cut off on the left side. (Ticket #247466) |
Bug fix: When using OpenID Connect for authentication, the pre-filling of a user's first/last name and email address in their Profile might mistakenly not occur for certain OIDC setups. (Ticket #246812) |
Version 14.5.34(released on 2025-01-09) |
Bug fix: The submit buttons on survey pages might mistakenly have their text spill out if the button text is long. (Ticket #247033) |
Bug fix: When using Double Data Entry together with Missing Data Codes, in which an MDY- or DMY-formatted date/datetime field has a Missing Data Code value for a record that is about to be merged via the Data Comparison Tool page, the Missing Data Code value would mistakenly be converted into the value "00-00-0000" in the newly created record. |
Version 14.5.33(released on 2025-01-08) |
Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered when uploading files for a File Upload field on a data entry form or survey page, in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a URL. This can be exploited by anyone who has a link to a survey with a File Upload field (i.e., does not require authentication). Bug exists in all REDCap versions for the past 10 years. |
Bug fix: A fatal PHP error might mistakenly occur in a Dynamic Data Pull (DDP) project when saving adjudicated data. (Ticket #246497) |
Bug fix: Fixed a small inconsistency in the text referring to the "Add/Edit Reports" privilege on the User Rights page. (Ticket #246840) |
Bug fix: When using "Large" or "Very large" as the survey text size for a survey that contains hyperlinks in the survey instructions, survey completion text, or in field labels that utilize the rich text editor, the hyperlink's text might mistakenly be locked at a specific font size and thus would look strange adjacent to other text. (Ticket #246917) |
Bug fix: While generating a new schedule on the Scheduling page in a project, some parts of the table and date/time widgets on the page were mistakenly always displayed in English, even when the user interface had been set to another language. Additionally, the text boxes in the Time column of a projected schedule were too narrow. (Ticket #246833) |
Version 14.5.32(released on 2025-01-02) |
Major security fix: An SQL Injection vulnerability was found on the User Rights page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way when adding new User Roles. This can only be exploited by authenticated users. Bug exists in REDCap 10.3.3 and higher. |
Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the Data Import Tool page in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a CSV data file being uploaded for the Background Data Import process. This can only be exploited by an authenticated user. Bugs exists in REDCap 13.8.0 and higher. |
Minor security fix: Removed outdated dependencies on the external libraries (jQuery, Bootstrap, Popper) in the "Launch from EHR" process for CDIS projects, specifically due to a vulnerability in Bootstrap 4. These libraries were previously locked to older versions to maintain compatibility with older browsers like IE11, required in specific Epic integration settings. This update eliminates potential security risks associated with the outdated libraries and improves overall maintainability. Note: The vulnerability is only exploitable if the Clinical Data Pull service is enabled in CDIS. |
Bug fix: If MyCap is disabled at the system level and then a user creates a project via a Project XML file, in which the Project XML is set to have MyCap enabled, the MyCap settings for the project would mistakenly get loaded into the new project. |
Bug fix: In extremely rare situations, the survey page might return the error message "An unknown error has caused the REDCap page to halt", thus possibly preventing the survey response from being saved properly and ending the survey prematurely. |
Bug fix: Several missing LOINC codes were added to the CDIS mapping features. |
Bug fix: When using inline comments inside the "Action Tag/Field Annotation" text, specifically for the IF action tag, the logic might mistakenly not get parsed correctly, thus causing it not to behave as expected. (Ticket #246704) |
Version 14.5.31(released on 2024-12-27) |
Bug fix: Fields might mistakenly fail to be embedded inside a Descriptive field if the Descriptive field already has some input elements contained inside it (in its pre-embedded state). (Ticket #246424) |
Bug fix: For logic-based PDF snapshots stored in the PDF Snapshot Archive in the File Repository, the record link for the snapshot in the snapshot table on the page would mistakenly not navigate the user to the record correctly. |
Bug fix: The "Read introduction to Data Resolution Workflow" link does not work from the "Resolution Metrics" tab of the Data Quality page due to a JavaScript error. (Ticket #246592) |
Bug fix: The Configuration Check page and main Control Center page might mistakenly note that something is wrong with the database structure, specifically the table "redcap_ehr_resource_imports". This was merely a false positive, and it only occurs when running MySQL 8. (Ticket #246426) |
Bug fix: When a user is performing the "Re-evaluate ASI" action in the Online Designer, in which they select the "Test Run" option, the process might mistakenly run many more SQL queries than is intended, which might result in database server performance degradation while the process is running. (Ticket #246170) |
Bug fix: When importing clinical notes for Clinical Data Mart projects via CDIS, the system would fail to identify existing clinical notes, resulting in duplicate entries being stored in CDM projects. REDCap now properly detects and prevents duplicates. |
Bug fix: When using CDIS, the Patient resource would return a blank gender value if a blank gender is provided (i.e., exists in the EHR), instead of defaulting to 'UNK'. This change ensures consistent handling of blank gender values, particularly in "Break the Glass" scenarios. |
Bug fix: When using Custom Event Labels in a longitudinal project, in very specific cases when field variables are prepended with a unique event name in the label, that field's value might mistakenly not get displayed in the Custom Event Label in the table header on the Record Home Page. (Ticket #246409) |
Bug fix: When using REDCap's Two-Factor Authentication feature with the Microsoft/Google Authenticator 2FA option enabled while also using an "X & Table-based" authentication method, the table of user attributes on the Browse Users page in the Control Center would mistakenly display the "Send instructions via email" option for Microsoft/Google Authenticator when an administrator is viewing a non-Table-based user when the "Enforce two-factor authentication ONLY for Table-based users?" 2FA setting is enabled. If 2FA is enabled only for Table-based users, then that option on the Browse Users page should not be displayed when viewing a non-Table-based user's account. Additionally, the "Expiration time for 2-step login code" row should also be hidden in this case. (Ticket #246329) |
Bug fix: When using the "Break the Glass" feature for CDIS, the selection would mistakenly not be cleared after a successful "Break the Glass" action, leaving the "Submit" button enabled. The selection now clears as expected, and the button is properly disabled. |
Version 14.5.30(released on 2024-12-19) |
Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered at the survey end-point in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a survey URL. This can be exploited by anyone and does not require authentication; however, this exploit is only successful when the outgoing email service being used allows invalid email addresses (e.g., those containing HTML tags or JavaScript) to be used in the recipient email address and returns a status of True that the email sent successfully. Thus, this bug does not occur if using SendGrid, MailGun, or Mandrill third-party email services. Bugs exists in all versions of REDCap. |
Major bug fix: When a record in a longitudinal project belongs to a Data Access Group, in which the record has data in only one event, if a user clicks the red X on the Record Home Page to "Delete all data on event" for the one event that contains data, it would mistakenly cause the record to no longer be assigned to the DAG. Additionally, the Logging page would not note the record being unassigned from the DAG. (Ticket #246056) |
Bug fix: If a multi-page survey has the "Save & Return Later" option enabled and has the "Allow respondents to return without needing a return code" option enabled, if data is entered on that instrument via data entry form (but not via survey) and then the survey is opened, the survey page might mistakenly open on a later page rather than on the first page, as expected. (Ticket #245967) |
Bug fix: If a survey has invitations that have been scheduled or sent, and that survey instrument is later deleted (i.e., the instrument, not the survey settings), those invitations would still appear in the Survey Invitation Log. (Ticket #246034) |
Bug fix: In a MyCap-enabled project that also uses MLM, the base language in MLM would be included in the list of languages in MyCap even if MyCap is not utilized in MLM. |
Bug fix: The "Break the Glass" feature for CDIS when pulling data from Epic into REDCap was no longer working due to changes on the Epic side. The issue has been fixed to allow CDIS users to be able to perform "Break the Glass" operations on multiple records again in the REDCap interface. |
Bug fix: The FHIR statistics collection process for CDIS (i.e., counting the number of values and types of data imported from the EHR via Clinical Data Mart and Clinical Data Pull) was mistakenly storing inaccurate counts for a long time. Much of the stats of data being imported from the EHR was not stored due to a bug. In response to this issue, the old stats data will have to be abandoned but will remain in the REDCap backend database in the table "redcap_ehr_import_counts" for legacy purposes, and that table will no longer be used by the application. As of this version, REDCap has two new database tables "redcap_ehr_resource_imports" and "redcap_ehr_resource_import_details" to collect accurate CDIS stats going forward. The new tables and stats page enhance monitoring, enable improved reporting, and ensure accurate categorization of imported resources in REDCap. Note: There is not a user interface yet in LTS to view these stats being collected, but a FHIR Stats page has been added in REDCap 14.9.3 Standard. |
Bug fix: When a PDF Snapshot is being triggered using a data import or if a PDF is being generated via the REDCap::getPDF() method in an External Module, it would mistakenly output the error message "PDF cannot be output because some content has already been output to buffer" onto the page if some of the webpage had already been rendered. (Ticket #246037) |
Bug fix: When a user is assigning another user to a data query via email for the Data Resolution Workflow, the recipient's first and last name would mistakenly be used as the email sender's Display Name in the email. (Ticket #245946) |
Bug fix: When saving API secrets/keys on various configuration-related Control Center pages, the values of the secrets/keys would mistakenly get logged in the "redcap_log_event" database table. These values are already being encrypted when added to the "redcap_config" table, and as such, they should not be stored in plain text in the internal REDCap logging either. Thus, going forward, any such values will be stored with the value "[REDACTED]" in the logging table rather than as their literal value. (Ticket #245886) |
Bug fix: When using the Survey Login feature in a project, if a survey participant leaves all survey login fields empty and they try to log in by submitting blank values, the survey login would mistakenly be successful, regardless of the number of login fields and the minimum number of fields above that are required for login. (Ticket #246295) |
Version 14.5.29(released on 2024-12-12) |
Bug fix: On the CDP Mapping page for CDIS, any HTML existing inside the field label of fields being mapped would mistakenly not get stripped out, thus possibly causing readability issues and other issues on that page. |
Bug fix: The C# code generated by the API Playground had some errors. (Ticket #241561) |
Bug fix: When an admin clicks the "Auto-fill form/survey" link on a form or survey, and specific number-validated fields (e.g., number_2dp_comma_decimal) have a min or max range validation, this would result in an out-of-range validation error on the page. (Ticket #226377b) |
Bug fix: When importing data using the Data Import Tool or API, it would mistakenly not be possible to import Missing Data Codes for a Slider field. Note: This was supposedly fixed in REDCap 14.5.22 LTS, but it was not. (Ticket #243896) |
Bug fix: When modifying the label of a field in a matrix while in Draft Mode in production status, in which the field contains data for one or more records, a red warning saying "*Possible data loss if a matrix field's label changes" should be displayed on the Project Modifications page; however, that warning was mistakenly not being displayed in that situation. Bug emerged in REDCap 14.5.0. (Ticket #245793) |
Bug fix: When using SendGrid as the outgoing email provider, if the system-level setting "Utilize the Display Name in all outgoing emails?" is turned off, the Reply-To Display Name might mistakenly still get added to outgoing emails. (Ticket #245904) |
Bug fix: When using the DAG Switcher in a project, and the current user clicks the Switch button to open the DAG Switcher dialog, the drop-down list of DAGs in the dialog would mistakenly not look completely like a drop-down element, thus potentially causing confusion. (Ticket #245627) |
Bug fix: When using the URL of a website (e.g., public survey link) as the Embed Media URL for a Descriptive field, the embedded website would mistakenly not display properly when viewing the survey page or data entry form on an iOS device. (Ticket #245700) |
Version 14.5.28(released on 2024-12-06) |
Critical bug fix: Under specific circumstances when using PHP 8, data entry forms and survey pages might mistakenly always crash with a fatal PHP error, thus making data collection impossible. Bug emerged in the previous version. (Ticket #245574) |
Version 14.5.27(released on 2024-12-05) |
Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name of a record being imported via the Data Import Tool or API, after which the exploit could be activated in a specific place in the Online Designer. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years. |
Minor security fix: If REDCap Messenger is enabled, a malicious user could impersonate another user in the system specifically when uploading a file into a Messenger conversation by manipulating an HTTP request in a specially-crafted way. Note: This would not give the user being impersonated access to a Messenger conversation to which they do not have access to, but it would make it appear as if the other user uploaded the file to the conversation. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap in the past 8 years. |
Bug fix: A missing LOINC code was added to the CDIS mapping features. |
Bug fix: An outdated version of jQuery was mistakenly included in REDCap as part of a third-party library. That outdated version has been removed since it did not serve a functional role in the library. (Ticket #245523) |
Bug fix: If a Text field or Dropdown field is embedded on an instrument but is not using the ":icons" notation (e.g., {myfield:icons}), then if Missing Data Codes are being used in the project and the field's current saved value is a MDC, there would be no way for a user to clear out the MDC and thus change the field's value. In this situation, the M icon will now be displayed next to the field to allow users to unset the MDC value. (Ticket #245398) |
Bug fix: When a user attempts to resize the Choices textbox (for a multiple choice field) inside the Edit Field dialog in the Online Designer, the elements below the textbox would not move in response to the resizing, thus allowing the textbox to be stretched and mistakenly appear underneath the other elements. (Ticket #245180) |
Bug fix: When an admin clicks the "Auto-fill form/survey" link on a form or survey, and a DMY or MDY formatted date field has the literal value "today" as the min or max range validation, this would result in an out-of-range validation error on the page. (Ticket #226377) |
Bug fix: When downloading the Notification Log on the Alerts & Notifications page, the resulting CSV file's filename would mistakenly end with ".csv.csv". (Ticket #245440) |
Bug fix: When exporting data to SPSS, the SPSS Pathway Mapper batch file would mistakenly remove the BOM (byte order mark) from the SPSS file, leading to UTF-8 characters in the SPSS file getting mangled. |
Bug fix: When modifying a matrix of fields in the Online Designer, in which the variable names of some fields are changed, the fields would mistakenly not be saved correctly, and attributes of some fields in the matrix might get merged into other fields in the matrix. (Ticket #244773) |
Bug fix: When performing a data import that contains values for the Secondary Unique Field in the project, in which the SUF's value happens to be a Missing Data Code and another record already has the same Missing Data Code saved for the SUF in the other record, the import process would stop with an error message saying the value of the field duplicates the value from another record. The SUF uniqueness check should not be performed when importing a Missing Data Code. (Ticket #245182) |
Bug fix: When the "Require a reason when making changes to existing records" feature is enabled in a project and a user goes to import data using the Data Import Tool, the user is given a warning message if a "reason" is not provided for all existing records being modified by the import, but it would mistakenly allow the import to take place without a reason provided, which should not be allowed. (Ticket #245514) |
Bug fix: When uploading a consent form file for a survey on the e-Consent Framework page, in which the file uploaded is not a PDF file, it would mistakenly add a placeholder in the consent file version table (but with a blank value for the PDF file), which would prevent users thereafter from uploading the correct file with the same consent form version number (because the version number is already used by the previous mistaken upload). (Ticket #245561) |
Bug fix: When using Twilio/Mosio telephony services in a project that is utilizing the setting to use a mappable multiple choice field for the Delivery Preference, if a new record is created via a data import or via the API, in which the mappable field value is set during the import process, the new record's delivery preference would mistakenly be set to the project default delivery preference (or instead as "Email") rather than to the correct delivery preference value for the record. (Ticket #245186) |
Bug fix: When viewing the field-view in the Online Designer, in which a date/datetime field is embedded and also has the CALCDATE action tag, the green "Field is embedded elsewhere on page" button would mistakenly be hidden for that field. (Ticket #245243) |
Bug fixes for Clinical Data Interoperability Services (CDIS): 1) Resolved incorrect display of mapped status for "Device - Implants" resources in the CDIS Mapping Helper, and 2) Fixed saving functionality for "Device - Implants" resources in the matching form for CDM projects. |
Version 14.5.26(released on 2024-11-26) |
Minor security fix: A vulnerability was discovered in REDCap Messenger in which a malicious user could potentially exploit it by manipulating an HTTP request in a specially-crafted way that would potentially allow them to enumerate a list of all usernames in the whole system, including users' first and last name. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later. |
Bug fix: If a survey ends via a Stop Action and the Alternate Survey Completion Text has been left blank, it would display no text at all at the end of the survey when it should instead default to displaying the regular Survey Completion Text. (Ticket #245008) |
Bug fix: In very specific situations where a date/datetime field has the READONLY action tag, the calendar datepicker icon next to the field would mistakenly still be displayed, thus allowing users to inadvertently modify the field value using the datepicker widget. (Ticket #244986) |
Bug fix: The Data Search feature on the "Add/Edit Records" page might mistakenly keep saying "Searching..." even when nothing has been returned if certain keys on the keyboard are clicked, such as Enter, when typing the search term. (Ticket #54818b) |
Bug fix: The piping documentation mistakenly did not specify that piping essentially bypasses a user's Data Viewing Rights, so even if a user has 'No Access' Data Viewing Rights for the instrument of a piped field, any user will be able to view the data of the piped field regardless of where the field is being piped. More information has now been added to the piping documentation to clarify this missing piece of information. (Ticket #244827) |
Bug fix: Various fixes in CDIS with specific regard to ensuring that authentication in REDCap works correctly and successfully when in an EHR/CDIS context. |
Bug fix: When MLM is active, the redirection of completed surveys via the survey termination option "Redirect to a URL" would not work as expected. (Ticket #244741) |
Bug fix: When uploading a file into a REDCap Messenger conversation while inside a REDCap project, the Upload File dialog would mistakenly be covered by the left-hand project menu. |
Version 14.5.25(released on 2024-11-20) |
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in REDCap Messenger and in the Data Quality module in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way. These can only be exploited by authenticated users. Bugs exists in all versions of REDCap 7.4.0 and later. |
Major security fix: An SQL Injection vulnerability was found on a MyCap-related page, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. This can only be exploited by authenticated users. Bugs exists in all versions of REDCap 13.0.0 and later. |
Minor security fix: A security vulnerability was discovered in the Moment.js library that is utilized by REDCap. That library has been removed from the REDCap code to remediate this issue. |
Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library utilized specifically on the CDP Mapping page has been upgraded to a newer version that does not contain the vulnerability. |
Bug fix: If one or more fields are piped into the survey instructions of a survey, in which the fields being piped are located on the first page of the survey, the real-time piping action might not occur when entering data into those fields on the first survey page unless those same fields happen to be piped elsewhere on the page. |
Bug fix: In a multi-arm project that utilizes the Survey Queue or certain [survey-X] Smart Variables, in which individual records will exist on multiple arms at the same time, if a record exists in one arm and then a participant uses the Survey Queue to navigate to a survey in another arm where the record does not yet exist, the participant would mistakenly be redirected to the survey page that asks them to enter a survey access code. And if using a [survey-X] Smart Variable that refers to a survey on another arm, it would mistakenly return a blank value. |
Bug fix: Several missing LOINC codes were added to the CDIS mapping features. |
Bug fix: The API Playground page might load unusually slowly for older projects or busy projects (i.e., with lots of logged events). |
Bug fix: When a matrix of fields contains no choices, the Online Designer field-view page, data entry form, and survey page containing that matrix might mistakenly crash due to a fatal PHP error when using PHP 8. (Ticket #244669) |
Bug fix: When exporting a report in "labels" format for a report that is sorted by a multiple choice field that has integers for every choice value, the resulting exported data would mistakenly not be sorted according to the choice labels but would often revert to being sorted by the record ID field instead. (Ticket #244525) |
Bug fix: When using Multi-Language Management and translating field labels, in certain cases some text in the field label might not align horizontally with other text that should be displayed on the same line. |
Bug fix: When using a CDIS service, the Date of Death value of a patient was mistakenly displayed in Zulu (UTC) time instead of the expected local formatted time. The date is now converted to local time and formatted to YYYY-MM-DD HH:MM format for consistency. |
Version 14.5.24(released on 2024-11-14) |
Bug fix: A duplicate language key for MyCap existed in the English.ini file. (Ticket #243930) |
Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, "Custom Surveys for Project Status Transitions" survey pages would initially load in a user's browser, but after clicking a submit button on the survey, the page would be blocked and would not load any more pages. Note: This was supposedly fixed in REDCap 14.5.16 (LTS) and 14.6.10 (Standard), but it was only partially fixed. (Ticket #240644b) |
Bug fix: If using the AWS CloudFormation deployment of REDCap, the REDCap upgrade process might mistakenly fail or have issues due to the "upgrade-aws-eb.sh" file inside the REDCap source code not being up-to-date with the same file stored in the GitHub repo for REDCap's AWS CloudFormation (https://github.com/vanderbilt-redcap/redcap-aws-cloudformation/ ). The file inside REDCap has now been updated to match the GitHub file. |
Bug fix: In a MyCap-enabled project, REDCap was mistakenly listing DAG-specific announcements in a participant's message thread even if they are not in the DAG. |
Bug fix: In a MyCap-enabled project, fields with the action tag MC-PARTICIPANT-CODE would mistakenly not get updated with the participant code value for records created via the API. |
Bug fix: When downloading a PDF containing saved data, in which the PDF contains data for repeating instruments and/or repeating events, the repeating instances might be mistakenly displayed out of order in the PDF (with the instances of different repeating instruments being ordered by instance number instead of being ordered by instrument then instance number). Additionally, some of the repeating instruments might be duplicated as empty forms (as if they have no data) on certain pages in the PDF. (Ticket #244080) |
Bug fix: When using field embedding on a Descriptive field that has an "Embed media" URL that is set to be displayed "Inline", the resulting "View media" button and/or field label would mistakenly not appear where the field is supposed to be embedded on a survey page or data entry form. (Ticket #243847) |
Bug fix: When using the "Erase all data" option on the Other Functionality page or when moving a project to production while erasing all records, any PDF Snapshots that are stored in the "PDF Snapshot Archive" in the File Repository would mistakenly not be deleted during this process. (Ticket #244073) |
Bug fix: When using the [stats-table] Smart Variable with one or more unique event names appended to it (in order to limit the table data to specific events), the resulting stats table would mistakenly always display counts from all events for the given field instead of the specified events. (Ticket #244162) |
Version 14.5.23(released on 2024-11-12) |
Major bug fix: In several places in a project where survey links are generated, such as using the Smart Variable [survey-link] or the EM developer method REDCap::surveyLink(), those might return a blank value instead of a real URL. Additionally, if a survey has the "Allow participants to download a PDF of their responses at end of survey?" option set to "Yes" on the Survey Settings page, participants would get a 404 error in their browser when clicking the PDF Download button after completing the survey, thus preventing them from downloading the survey. Bug emerged in the previous version. (Ticket #244103, 244176) |
Version 14.5.22(released on 2024-11-07) |
Minor security fix: Due to a ReDoS (Regular expression Denial of Service) vulnerability discovered in the Vue third-party library that is bundled in REDCap, the Vue library has been upgraded to a newer version that does not contain the vulnerability. |
Bug fix: When importing data using the Data Import Tool or API, it would mistakenly not be possible to import Missing Data Codes for a Slider field. (Ticket #243896) |
Bug fix: In certain cases, when creating a new project using a Project XML file that contains Custom Record Status Dashboards, the "Select instruments/events" attribute might not get set correctly during the import, thus causing that dashboard not to display any instruments when viewing it. (Ticket #243909) |
Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard. Note: This was supposedly fixed in the previous release, but mistakenly it was not. |
Bug fix: When certain record-based [survey-X] Smart Variables are utilized on a survey or data entry form (e.g., CALCTEXT([survey-access-code])), in which the record has not been created yet, duplicate rows might mistakenly be added for the resulting record in the Participant List. |
Bug fix: When clicking the "Download all" button when viewing the PDF Snapshot Archive in the File Repository, any PDF snapshots created using a logic-based snapshot trigger would mistakenly not be included in the downloaded zip file. (Ticket #243743) |
Bug fix: When enabling MyCap on a project that has existing records, the MyCap participant code would mistakenly not get populated for fields with the action tag @MC-PARTICIPANT-CODE. |
Bug fix: When uploading user role assignments via CSV on the User Rights page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user role assignments in the project. (Ticket #243138b) |
Version 14.5.21(released on 2024-10-31) |
Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the value of a Text field or Notes field by authenticated users on a data entry form or by survey participants on a survey. It can only be exploited by entering text containing the HTML "embed" tag when dynamic piping is happening on the current page via JavaScript. Bug emerged in REDCap 14.5.0. |
Bug fix: If a user assigned to a Data Access Group is viewing the Notification Log for "Alerts & Notifications", in which one or more alerts have been set as a recurring alert, the page would mistakenly display future notifications for records not in the user's DAG. (Ticket #243195) |
Bug fix: If a user is importing data via the API or Data Import Tool, in which the user is not assigned to a DAG and the data import file contains the "redcap_data_access_group" field, if the import file contains multiple records and the "Overwrite data with blank values?" setting is set to "Yes", then any records that are currently assigned to a DAG but have a blank value for the "redcap_data_access_group" field in the import file would get correctly unassigned from their current DAG, but the Record List Cache would mistakenly not get updated to reflect this DAG unassignment. This means that until the Record List Cache is reset, the record might appear to be in a DAG even though it is technically not assigned to a DAG anymore. (Ticket #242983) |
Bug fix: If an alert has been created with the "When to send the alert" setting as "Send the alert X [units] after the day (beginning at midnight) that the alert was triggered", then downloading the alerts as a CSV file and then re-uploading them would result in an error for this particular setting. (Ticket #237215) |
Bug fix: In rare cases, a fatal PHP error might occur on a survey when using PHP 8. (Ticket #243300) |
Bug fix: In some cases, the Background Data Import process might mistakenly fail to finalize itself even after all records appear to have been successfully imported. (Ticket #243425) |
Bug fix: In some rare cases when upgrading from a REDCap version lower than 14.3.1, the upgrade page might mistakenly fail to load completely. Bug emerged in REDCap 14.3.1 Standard. |
Bug fix: The "Download form display logic setup" drop-down option in the Online Designer form-view would mistakenly not be visible because it would be obscured by the table immediately below it. (Ticket #243052) |
Bug fix: The API method "Export a List of Files/Folders from the File Repository" would mistakenly require API Import privileges. It should only require API Export privileges and File Repository privileges in the project. (Ticket #243161) |
Bug fix: The Email Users page would mistakenly list users that do not have the "Display user on 'Email Users' page?" checkbox checked for them on the Browse Users page in the Control Center. (Ticket #234149) |
Bug fix: When downloading a PDF of a survey instrument or when REDCap is storing a PDF Snapshot of a survey instrument, certain HTML tags that exist in the survey instruction text might mistakenly get stripped out before being properly processed into line breaks, etc. for the PDF. Bug emerged in REDCap 14.5.0. (Ticket #243240) |
Bug fix: When uploading user-DAG assignments via CSV on the Data Access Groups page, if the username in the CSV file has trailing spaces, those spaces might mistakenly not get removed when saving the user-DAG mappings in the project, which could cause the DAG page's table not to display all DAG users in the "Users in group" column. (Ticket #243138) |
Bug fix: When using Multi-Language Management, if a field has the @LANGUAGE-SET action tag, the language-switching functionality will not work for it if the field is embedded. (Ticket #243593) |
Version 14.5.20(released on 2024-10-24) |
Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a Text field or Notes field whose value is being piped on the same page of a survey or data entry form. This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug emerged in REDCap 14.5.0. |
Bug fix: If an email contains a piped File Upload field variable using the ":inline" piping option (e.g., [my_file:inline]), for certain email servers and certain email configurations in REDCap (e.g., SMTP), the file would mistakenly not get attached to the email as a regular attachment if the file is not an image file. (Ticket #242935b) |
Bug fix: If an email contains a piped File Upload field variable using the ":link" piping option (e.g., [my_file:link]), clicking the download link in the email would mistakenly display the error message "NOTICE: This file is no longer available for download" rather than downloading the file. (Ticket #242935) |
Bug fix: In certain situations, one of the Clinical Data Pull (CDP) cron jobs for CDIS might crash unexpectedly. |
Bug fix: Modifying the value of a drop-down field, specifically one that has autocomplete enabled, would mistakenly not trigger the "Save your changes?" dialog or the "Reason for change" dialog (if enabled) in the project. (Ticket #242610) |
Bug fix: When data is exported from the Database Query Tool while "query context" was used in the query, this context was not properly evaluated and the page crashed during the export. |
Bug fix: When exporting data via the Export Records API method with parameter type=eav, if any duplicate values somehow exist in the backend data table for a single field, those duplicates would mistakenly be output in the resulting data that is returned from the API. (Ticket #242493) |
Bug fix: When importing data into a longitudinal project (whether via API, Data Import Tool, Mobile App, or data in a Project XML file), in which data for a repeating event or repeating instrument is being imported when the first instrument in the project is not designated for the event of data being imported, in certain situations the form status field for the first instrument might mistakenly receive a "0" (Incomplete) value during the import, even when that field is not included in the data being imported. This inadvertently creates data values that are automatically orphaned and never accessible in the user interface except in reports and data exports. (Ticket #242590) |
Bug fix: When the e-Consent Framework is enabled for a survey, the "Save & Mark Survey as Complete" button would mistakenly be displayed when viewing the instrument as a data entry form. Clicking this save button would mark the survey as complete and log it as if an e-Consent certification took place, when in fact it did not because the certification was essentially bypassed. e-Consent surveys should only ever be completed on the survey page itself and not on a data entry form. Going forward, the "Save & Mark Survey as Complete" button will no longer be displayed on the data entry form for any survey instrument that has the e-Consent Framework enabled. (Ticket #242860) |
Bug fix: When uploading a file for a File Upload field, in which the file exceeds the system-level maximum file size setting for File Upload fields, the file would mistakenly remain on the server for 30 days until it was then permanently deleted. Going forward, the file will never be initially stored in the system if it exceeds the file size limit. |
Bug fix: When using the "Go to field" functionality in the Online Designer (Ctrl-G or Cmd-G) and searching for a field by typing in part of the variable name or field label, a JavaScript error would be thrown in the browser console if the current instrument does not have any fields. (Ticket #242884) |
Version 14.5.19(released on 2024-10-17) |
Major bug fix: In some extremely rare cases, it might be possible that the same return code could be generated for two different participants taking the same public survey. In certain situations, this could possibly allow one participant to inadvertently view the responses of another participant. (Ticket #241815) |
Bug fix: If a record is deleted when the data privacy/GDPR feature "Delete a record's logging activity when deleting the record?" is enabled in a project, the email log associated with that record would mistakenly not get deleted along with the regular logging information. Note: This fix will not retroactively remove the email logging of already-deleted records in projects with this feature enabled, but it will prevent this issue from occurring in the future. (Ticket #242184) |
Bug fix: If data exists for a field used in branching logic or in a calculation in a longitudinal project, in which the data is orphaned from a previously-repeating instrument or event (i.e., it is no longer repeating but had data collected for it back when it was repeating), then some of the orphaned data might mistakenly be used on a survey/form for cross-event branching logic and calculations, thus causing the branching/calc not to behave as expected. |
Bug fix: In very specific situations after submitting the first page of a multi-page survey, the Required Field dialog might mistakenly be displayed saying that a field that is not present on the first page (but is present on the second page) has a missing value. (Ticket #236511) |
Bug fix: Minor text error in the Smart Variable documentation. |
Bug fix: Multi-instrument PDF Snapshots were likely to be malformed in larger/complex projects when MLM was enabled. (Ticket #242031) |
Bug fix: The Custom Event Label might cause significant performance issues to arise on the Record Home Page for certain projects. |
Bug fix: The cron job responsible for fetching data from the EHR system via CDIS might be unable to retrieve a valid FHIR access token under specific conditions, causing the fetch process to fail. Additionally, the EHR ID might mistakenly not get logged in the FHIR Logs database table during CDIS processes. |
Bug fix: When a project is utilizing the Survey Queue together with the Survey Login feature, in which a survey participant has already logged in to a survey but then later reopens that same survey during the same "session", the icon/link to the Survey Queue would mistakenly not appear at the top-right of the first page of that survey as it should, even when some surveys exist in the participant's survey queue. (Ticket #242182) |
Bug fix: When a repeating instrument is enabled as a survey, and a participant navigates to that survey with "&new" appended to the URL to denote that a new repeating instance should be created from that response, branching logic and/or calculations on the survey page would mistakenly not work as expected if the fields used in the branching/calculations exist on a different instrument. Bug emerged in REDCap 14.5.14 LTS and 14.6.8 Standard Release. |
Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS, if the project has MLM enabled on the current form/survey. (Ticket #241505b) |
Bug fix: When creating a new project via a Project XML file, in which the project contains one or more logic-based PDF Snapshot triggers, it might cause the project not to be fully created and thus not accessible to the user afterward. |
Bug fix: When exporting a Project XML file containing data for a longitudinal project that has repeating instruments, the resulting XML might be malformed in the file, thus causing some of the repeating instrument data not to get transferred to a new project created from the XML file. |
Bug fix: When moving an entire matrix of fields in the Online Designer to the top of another instrument, an error would result, thus preventing the matrix from being moved successfully. |
Bug fix: When moving an entire matrix of fields in the Online Designer, especially when moving them to another instrument, some fields in the matrix may not get moved successfully and/or the fields in the instrument might be messed up in various ways in the backend database, thus causing things not to display correctly for the instrument. (Ticket #236128, #241606) |
Bug fix: When uploading an Instrument Zip file or when copying an instrument in the Online Designer, if a field in the instrument has branching logic that contains an inline comment with and odd number of single quotes and/or double quotes, it would prevent the instrument from being uploaded or copied, respectively. (Ticket #241955) |
Bug fix: When using Multi-Language Management, floating matrix headers were not aligned properly on surveys for right-to-left languages. (Ticket #222689b) |
Bug fix: When using Twilio or Mosio telephony features in a project, in which an Automated Survey Invitation is set to be triggered and sent using the "participant's preference" for the ASI invitation type, if the mappable invitation preference field is being utilized in the project, then if a user sets the value for the invitation preference field on a form/survey, in which the ASI gets triggered and one or more calculated fields from other forms/events get subsequently triggered from the form/survey save, then the ASI will be sent/scheduled using the project's default value for delivery preference rather than using the participant's already-set delivery preference (from the invitation preference field). (Ticket #242434) |
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, specifically 235, 324, 329, 353, 436, 624, 645, 686, 728, and 861. |
Version 14.5.18(released on 2024-10-09) |
Major bug fix: If a project has one or more [non-e-Consent] PDF Snapshots enabled to be triggered by the completion of a specific survey, in which that same survey has had the e-Consent Framework enabled in the past but is currently disabled for the survey, in certain situations the active PDF Snapshots would mistakenly not get triggered and saved when the survey is completed by a participant. Bug emerged in REDCap 14.5.11 LTS and 14.6.5 Standard. (Ticket #241710) |
Bug fix: When a participant has completed an e-Consent survey, in which a consent form has been defined on the e-Consent Framework page for that survey, and then a PDF of that response is later downloaded or a PDF Snapshot of that response is later saved, the resulting PDF would mistakenly not always contain the consent form that the participant saw when they completed the survey, but (especially when MLM is not being used) they would see a newer version of the consent form, assuming a newer version of the consent form has been added to that survey. (Ticket #241501) |
Bug fix: When certain video types (e.g., MP4) are added to the Embed Media URL of a Descriptive field, the video might not be playable for certain mobile browsers, such as Mobile Safari on iOS. (Ticket #241505) |
Bug fix: When exporting a Project XML file that contains e-Consent Framework settings, if the project is longitudinal and the e-Consent settings have a "Last name field" or "Date of birth field" defined, the e-Consent settings might not get successfully imported into the new project created using the Project XML file. Bug emerged in REDCap 14.5.0. |
Version 14.5.17(released on 2024-10-03) |
Major security fix: If a malicious user is logged in and has access to at least one report in one project, they could potentially manipulate the URL of specific REDCap end-points in order to view the results of any report for any project, even when they do not have access to that report or project. |
Major bug fix: Some of the AJAX end-points used by the Email Users page in the Control Center would mistakenly allow non-administrators to access them (if a user knows how), which could allow normal users to possibly view the list of all users (usernames, names, and emails) in the system. |
Bug fix: An issue would occur for Clinical Data Pull (CDP) projects in which entries in the redcap_ddp_records database table were incorrectly marked with a "future date count" > 0 if no temporal fields were mapped but date fields were present in the project. This would cause affected records not to be queued for automatic fetching in the background. |
Bug fix: For some server configurations, the MyCap logo displayed on the Multi-Language Management setup page might either not be displayed or might cause the whole page not to be displayed in MyCap-enabled projects. (Ticket #241449) |
Bug fix: In very rare situations, when a person receives a file via Send-It, they would not be able to download it because it may appear to have already expired prematurely. |
Bug fix: The instrument view of the Online Designer would mistakenly throw a JavaScript error. This would not cause any issues, but would show up in the browser console. (Ticket #241201) |
Bug fix: The question-mark popover in Step 2A option 3 when adding/editing an alert on the Alerts & Notifications page would mistakenly display escaped HTML in the popover rather than interpreting the HTML tags. |
Bug fix: When a radio or drop-down field has numeric-only choice codes, in which the field has a blank/null value and is used in the concat_ws() function, the field would mistakenly be represented as "NaN" (in JavaScript) and as "NAN" (in PHP) in the result of concat_ws(). (Ticket #241098) |
Bug fix: When a survey has the e-Consent Framework enabled and also has "Save & Return Later" enabled with the "Allow respondents to return without needing a return code" option checked, the survey would mistakenly display a Return Code when the participant clicks the "Save & Return Later" button, and it would also ask for a Return Code when loading the survey page after having not completed it. Bug emerged in REDCap 14.5.15 and 14.6.9. (Ticket #241142) |
Bug fix: When clicking a value displayed in the results of a Data Quality rule, which opens the data entry form in a new tab, it would mistakenly not put the focus on the field if the field is a Notes field type. (Ticket #241058) |
Bug fix: When deleting a user account when viewing an individual account on the Browse Users page in the Control Center, the User Search text box on the page would mistakenly no longer be functional for searching unless the page is reloaded. (Ticket #241142) |
Bug fix: When the first field on a given instrument has a section header above it, and then in the Online Designer a user attempts to add a field between the section header and the field immediately below it, if the project is in draft mode while in production, the newly added might get added but would end up in a weird limbo state so that the field might not be visible afterward. (Ticket #241530) |
Bug fix: When using MLM for translating survey invitations, specifically those sent via SMS, it could cause a fatal PHP error for the cron job when using PHP 8. (Ticket #92266b) |
Bug fix: When using Multi-Language Management, the wrong message was shown on the Misc tab for the base language on the MLM setup page. |
Bug fix: When using the READONLY action tag on the Secondary Unique Field on a survey that has the SUF prefilled via URL variables, the field would mistakenly be editable and not read-only. Note: This occurs only on the SUF when viewed specifically in survey mode, and only when prefilling is being performed. Also, this was supposedly fixed in REDCap 14.5.8 LTS and 14.6.2 Standard, but it was apparently only fixed in specific use cases. (Ticket #237623b) |
Version 14.5.16(released on 2024-09-26) |
Bug fix: For certain PHP versions, a JavaScript error might occur on the Project Setup page when enabling the Mosio feature. |
Bug fix: For projects in draft mode using the e-Consent Framework that have had a field modified or deleted on an e-Consent survey, the notice displayed to the user prior to submitting their drafted changes for approval (which mentions that the user should probably change the e-Consent version number) is no longer applicable in v14.5.0+ because the version number is no longer necessarily connected to the survey or its fields anymore in v14.5.0+ but instead is connected only to the consent form displayed on the survey. Given this, it no longer makes sense to display this notice to the user. Thus, the notice will no longer appear to users in this specific situation. (Ticket #240518) |
Bug fix: If the Survey Base URL is being used together with Clickjacking Prevention in the REDCap installation, it would prevent any of the "Custom Surveys for Project Status Transitions" survey pages from loading in a user's browser. (Ticket #240644) |
Bug fix: The text of some dialogs that appear on PROMIS surveys were mistakenly not available to be translated via Multi-Language Management. (Ticket #239286) |