Upgrade 14.0.7 Detailed Features Changes List
Version 14.0.7 (released on 2024-01-11)
Major security fix: Several Reflected XSS (Cross-site Scripting) and Stored XSS vulnerabilities were discovered in which a malicious user could potentially exploit them by inserting custom JavaScript in a specially crafted way into specific URLs or POST parameters in several places, including the Data Quality page, Custom Application Links, Report Folders, and other places. The user must be authenticated into REDCap in order to exploit these in a project. Bugs exist in all REDCap versions for the past 10 years.
Major security fix: An SQL Injection vulnerability was found on a Calendar-related page, some MyCap-related pages, the Define My Events page, the Online Designer, the Record Home Page, and other places, in which a malicious user could potentially exploit it and execute arbitrary SQL commands on the database by manipulating an HTTP request in a specially-crafted way. In order to exploit these, the user must be logged in as a REDCap user. Bugs exist in all REDCap versions for the past 10 years.
Bug fix: The upgrade process might unexpectedly stop due to an SQL error in the upgrade SQL script when upgrading to or higher than REDCap 14.0.1 in some cases.
Bug fix: In certain situations when using Clinical Data Pull for CDIS, the process might stop with a fatal PHP error for some PHP version.
Bug fix: When using Multi-Language Management, in which the highlighting feature for untranslated items is enabled, some items would mistakenly be highlighted on the page that should not be highlighted. (Ticket #221418)
Bug fix: If a record contains multiple consecutive spaces in its record name, some things might not display correctly on certain pages when viewing the record, such as the floating table of repeating instances when clicking on the "stack" status icon for a repeating instrument on the Record Home Page or Record Status Dashboard.
Bug fix: When using Clinical Data Pull in CDIS, conditions or medications were not shown in the CDP adjudication dialog unless a specific status was specified.
Bug fix: During the cache file creation process for Rapid Retrieval, concurrent write attempts could lead to PHP errors and potentially high CPU usage in some specific cases. (Ticket #221459)
Bug fix: The “Create new API token for user” dialog might mistakenly display the option “External Modules API”, which is not a published feature yet. (Ticket #221904)
Bug fix: When using Clinical Data Mart in CDIS, the CDM auto-fetch feature was not properly scheduling a fetch process.
Bug fix: When viewing the Record Status Dashboard when Data Access Groups exist in a project, in certain situations the RSD page might load a bit slowly due to an excessive amount of SQL queries being run. (Ticket #221998)
Bug fix: When using Multi-Language Management, the MLM setup page might not sort the choices of multiple choice fields in the correct order as seen in the Codebook and Online Designer. (Ticket #221888)
Bug fix: Usernames with apostrophes could not be added to a project or assigned to a user role through the user interface on the User Rights page. (Ticket #221933)
Bug fix: When using the Survey Queue, in which survey participants are added initially via the Participant List, if neither the Designated Email field nor the Participant Identifier is used in the project, and the Survey Response Status is "Anonymous*", the Survey Queue's "Get link to my survey queue" popup would mistakenly display the participant's email address, thus breaking the participant's anonymity in the project. Going forward, it will no longer display the participant's email address in that popup in this situation. (Ticket #221804)
Bug fix: When using the Background Data Import process, in which an error occurs, if a user goes to download the CSV file containing the list of errors for the import batch, the first letter of the error message in a given row might be missing.
Version 14.0.6 (released on 2024-01-04)
CHANGES IN THIS VERSION:
Bug fix: When using CDIS in certain contexts where data is being pulled for specific research studies, the FHIR ID of a research study might not be found.
Bug fix: When importing alerts via a CSV file, if the file contains some mangled characters due to incorrect encoding, the file might fail to upload and would mistakenly not produce any error message.
Bug fix: When using CDIS, issues might occur when fetching “conditions” data having a status other than "active". Additionally, new FHIR resources were inadvertently excluded from mapping in CDP projects. This includes the following mappable resources: encounter, coverage, procedure, device, and all conditions (including their status).
Bug fix: If using file-based storage for Rapid Retrieval, in which an alternative storage directory has been defined, in certain cases many of the cached files in the alternative directory would mistakenly not get deleted after the 5-day expiration time.
Bug fix: The REDCap::evaluateLogic() developer method's documentation mistakenly did not include information about the current_context_instrument parameter, which is required for the correct evaluation of logic that contains certain Smart Variables. This parameter should be provided to the method if the logic is being evaluated within the context of a specific instrument (e.g., while on a survey page or data entry form). This parameter has been added to the method's documentation. (Ticket #220861)
Bug fix: When enabling Twilio in a project, it is possible in certain cases to enter the same Twilio phone number (if it is a U.S. number) for more than one project. This could be done by entering the phone number in one project with the U.S. country code, and then entering it in another project without the U.S. country code. (Ticket #221468)
Bug fix: When using the functions day(), month(), or year(), more than once inside a calculation, it might not parse the calc correctly, thus possibly returning incorrect results. (Ticket #221544)
Version 13.7.29 (released on 2024-01-02)
CHANGES IN THIS VERSION:
Critical bug fix: REDCap might mistakenly crash with a fatal PHP error when attempting to rename a record via the Record Home Page or API. Bug emerged in REDCap 13.7.27 LTS. (Ticket #221438)
Version 14.0.5 (released on 2023-12-28)
CHANGES IN THIS VERSION:
New LTS branch based off of REDCap 14.0.4 (Standard)
Version 13.7.28 (released on 2023-12-28)
CHANGES IN THIS VERSION:
Medium security fix: The AWS SDK PHP third-party library contained a medium security vulnerability that would mistakenly allow an attacker to possibly perform URI path traversal. The library was updated to the latest version.
Major bug fix: The API Delete Users method was mistakenly not checking if a user had User Rights privileges in the project in addition to API Import/Update privileges in order to successfully make a call to the API method.
Bug fix: In specific situations where multiple File Upload fields are piped onto a page in a specific way, it may cause a JavaScript error that prevents the instrument from loading. (Ticket #221225)
Bug fix: If Form Display Logic or Survey Queue Logic references a specific repeating instance of a field, specifically instance "1", "first-instance", or "last-instance", when the field exists on a repeating event that currently contains no data for a given record, the logic might mistakenly not evaluate correctly. (Ticket #221229)
Bug fix: Direct links to the FAQ in certain places throughout REDCap were not working. They would merely take the user to the top of the Help & FAQ page instead of to a specific item. Bug emerged in REDCap 13.4.0. (Ticket #221329)
Version 13.7.27 (released on 2023-12-21)
CHANGES IN THIS VERSION:
Major bug fix: When checkbox field values are being imported during a data import (via the API or Data Import Tool), in which some calculated fields in the project reference the checkbox field in their calculations, the calc fields might mistakenly not get updated during the import process. (Ticket #221111)
Bug fix: When piping a field on the same instrument on which it is located, the piping might mistakenly not work in a repeating instrument or repeating event context. (Ticket #220610)
Bug fix: When calling the Rename Record API method, the API request would mistakenly get logged as "Switch DAG (API)" when it should instead be logged as "Update record (API)".
Bug fix: In rare cases, a database query run on the Participant List page might cause the page to load very slowly or even time out. (Ticket #211469)
Bug fix: When renaming a record in a multi-arm longitudinal project, in which the new record name already exists in another arm but in another case (e.g., renaming a record to "aa3" in arm 1 when there is already a record "AA3" in arm 2), issues can occur when trying to access the record in either arm in the user interface afterward. When this occurs going forward, the new record name will be forced to be the same case as the existing record in the other arm. (Ticket #217809)
Bug fix: When performing an API Export Records call with type=eav, in some rare cases the record ID field might mistakenly have duplicate rows for some records in the exported data. (Ticket #220860)
Bug fix: In the Online Designer, when a field has a section header immediately above it, and the field is then moved to be directly above that section header, the field would mistakenly revert back to its original position.
Bug fix: When entering data on a data entry form or survey while using a mobile device, in which a text field on the page has field validation and the user has entered a value that will throw a field validation error, if they click the "Add signature" link or "Upload file" link for a signature or file upload field, respectively, while their cursor is still in the text field, then they would get stuck in an infinite loop of popups and not be able to continue data entry on the page. (Ticket #219569)
Bug fix: In some cases when exporting the Project XML file for a project, the process might mistakenly crash with a fatal PHP error when using PHP 8. (Ticket #221097)
Bug fix: When using Google Cloud Storage for file storage in the system, and the "Organize the stored files by REDCap project ID?" setting is enabled, uploading a file on the main Send-It page (i.e., via the tab from the My Projects page) might cause a fatal PHP error when using PHP 8. (Ticket #221098)
Bug fix: Using the function isblankormissingcode() in branching logic would not always return the correct result if the field used in the function is numeric. (Ticket #218984)
Bug fix: If fields are embedded into the field label of a File Upload field or Signature field, the "Upload file"/"Add signature" dialog would mistakenly display the embedded fields as editable, whereas it should instead display them as read-only since their values cannot be modified there inside the dialog. (Ticket #221137)
Version 13.7.26 (released on 2023-12-14)
CHANGES IN THIS VERSION:
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. This bug was supposedly fixed in REDCap 13.7.24 LTS, but mistakenly it was not. (Ticket #219392)
Bug fix: When importing data (via API or Data Import Tool), in which the record name of the record being imported already exists in the project but has a different case (e.g., "101A" vs "101a"), it might cause extra logged events to be added during the data import process, even when no data is being modified. This issue does not seem to affect existing data in any negative way. (Ticket #219755)
Bug fix: When using CDP (Clinical Data Pull), data was mistakenly not being automatically fetched from the EHR and imported into a given CDP project as part of the CPD cron job. The issue was observed specifically in scenarios where certain records lacked a specified Medical Record Number (MRN).
Bug fix: When sending invitations through the Participant List via the Compose Survey Invitations dialog, in some rare cases the action of scheduling/sending the invitations might result in a fatal PHP error for PHP 8. (Ticket #220549)
Bug fix: In a MyCap-enabled project, the MyCap participant install dates and baseline dates would mistakenly get carried over into copied projects and projects created via Project XML upload.
Bug fix: When using Shibboleth authentication, the REDCap redirect URL was mistakenly not URL-encoded in the Shibboleth handler address, which might cause the user not to get redirected back to the correct place after returning from a successful Shibboleth login. (Ticket #220564)
Bug fix: When upgrading REDCap more than once in a single day, the "redcap_history_version" database table would mistakenly only list the last upgrade of the day. (Ticket #220627)
Bug fix: When clicking the increase/decrease font-size button at the top of survey pages, the speaker icons used for text-to-speech functionality would mistakenly not change size.
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. Bug emerged in 13.7.24 LTS and 14.0.0 Standard Release. (Ticket #219535b)
Version 13.7.25 (released on 2023-12-07)
CHANGES IN THIS VERSION:
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly be missing many rows of data. Bug emerged in the previous version. (Ticket #220275)
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, the username-password authentication for HTTP requests made during CDIS remote calls to the EHR system might not always work successfully under certain conditions. (Ticket #219039c)
Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. Note: This bug was supposedly fixed in the previous LTS release, but mistakenly it was not. (Ticket #219883)
Bug fix: The query cache efficiency check on the Configuration Check page might mistakenly display a false positive saying that the MySQL query cache is not efficient when actually it is. (Ticket #220049)
Bug fix: When a project has been deleted, some orphaned rows for that project might still exist in certain database tables. (Ticket #220047)
Bug fix: If a survey does not have survey instruction text, and the participant navigates back to page 1 after being on page 2 of the survey, the page would mistakenly display the "View survey instructions" link under the survey title.
Bug fix: When using the Survey Login feature in a longitudinal project, in which a field referenced on the survey login page exists on a different event as the survey currently being taken, the logged event's description of the successful/failed login on the Logging page would mistakenly have the wrong event for the context of the survey login. (Ticket #220174)
Bug fix: When using Azure AD authentication with Endpoint V2, the setting "AD attribute to use for REDCap username" was mistakenly not using all of the options listed in the drop-down but would only use the "userPrincipalName" option, if selected. Now all options can be used in Endpoint V2. (Ticket #134789b)
Bug fix: When clicking the "Download metadata only (XML)" button on the Project Setup->Other Functionality page, it mistakenly would not log the file download. It now logs the download event as "Download REDCap project XML file (metadata only)" on the Logging page. (Ticket #220203)
Version 13.7.24 (released on 2023-11-30)
CHANGES IN THIS VERSION:
Major bug fix: When exporting a report (including using the API Report Export method) in CSV, XML, or JSON format, in which the report is ordered by a field other than the record name and the total size of the exported data is fairly large (containing several hundred or thousand records), the resulting exported data might mistakenly contain duplicate rows, some of which might appear empty while others have the expected data for the given record/event. (Ticket #219392)
Bug fix: For certain REDCap installations, the events on the Define My Events page would not be ordered correctly. (Ticket #219188)
Bug fix: When opening certain dialog popups throughout the application, in which the dialog contains a lot of text, the page might mistakenly auto-scroll downward unexpectedly, thus causing the user to have to scroll back up in order to read the dialog contents.
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not using username-password authentication for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039b)
Bug fix: The "Upcoming Scheduled Survey Invitations" popup on the Record Home Page might not display all the upcoming invitations scheduled in the next 7 days but might mistakenly omit some. (Ticket #218769)
Bug fix: Some example R code in the API Playground was syntactically incorrect and would cause errors if it was run in R as is. (Ticket #219535)
Bug fix: When a datediff() function has a literal date value (e.g., "22-07-2023") for the first or second parameter in the function, in which the date value is in DMY or MDY date format, the datediff might mistakenly not perform the calculation correctly in some instances - most specifically server-side processes, such as auto-calculations, data imports, and Data Quality rule H. (Ticket #219662)
Bug fix: In some rare cases when using nested IF action tags for a field in which spaces or line breaks appear in specific places in the IF's logic, the IF action tag might mistakenly not evaluate correctly.
Bug fix: Form Display Logic might mistakenly not be evaluated correctly on the Record Home Page when a record has not been created yet but is in the process of being created. (Ticket #219883)
Version 13.7.23 (released on 2023-11-16)
CHANGES IN THIS VERSION:
Bug fix: If the Mosio SMS Services have been enabled in a project, the configuration step for Mosio on the Project Setup page would mistakenly not be displayed if the system-level Twilio feature (rather than the system-level Mosio feature) had been left disabled on the Modules/Services Configuration page in the Control Center.
Bug fix: The Data Viewing Rights & Data Export Rights might not be set correctly for user roles after adding a new instrument to a project while in production. When adding a new instrument, the rights would always get set to "No access" for that instrument for all roles, despite the fact that the setting "Default instrument-level user access..." on the User Settings page in the Control Center might be set otherwise. Note: This does not affect individual users' rights but only user roles. (Ticket #218708)
Bug fix: When a Table-based user navigates into a project, after which the Password Expire Warning popup is displayed if their password is about to expire soon, and then the user clicks the "Change my password" button, they are mistakenly taken to a blank page. This issue only occurs if the Password Expire Warning popup is displayed while they are inside a project (as opposed to on the My Projects page). (Ticket #218606)
Bug fix: If using Multi-Language Management, under certain circumstances the language preference of a logged-in user was mistakenly overwritten by a browser cookie. (Ticket #218766)
Bug fix: If a proxy is specified on the General Configuration page in the Control Center, it was mistakenly not being utilized for HTTP requests made during CDIS remote calls to the EHR system. (Ticket #219039)
Bug fix: When merging two records while using Double Data Entry (DDE), the merging process might mistakenly replace specific characters with HTML entities in the values of the third record that was created. (Ticket #218547)
Bug fix: In some situations, the AWS SDK might mistakenly fail when attempting to store or retrieve files from S3. The AWS SDK for PHP has been updated to the latest version in order to resolve this.
Bug fix: When piping a value onto a form/survey from outside the current context, in certain situations the piped value might mistakenly get wrapped in invisible HTML "span" tags when output onto the page, which should only occur when the field being piped exists on the same page. (Ticket #219031)
Bug fix: When using a designated email field (whether project-level or survey-level), there might be some inconsistency with regard to saving the email field if the field exists on multiple events or on a repeating instrument/event, in which REDCap attempts to keep all values the same for the field in all places in the record. One of the worst side effects is that it might mistakenly create extra repeating instances on a record when the email field exists on a repeating instrument when multiple repeating instances already exist for another instrument on the same record. (Ticket #217938)
Bug fix: When performing a data import on the Data Import Tool page when using PHP 8, a fatal PHP error might mistakenly occur. (Ticket #212225b)
Version 13.7.22 (released on 2023-11-09)
CHANGES IN THIS VERSION:
Medium security fix: A Cross-site Scripting (XSS) vulnerability exists in the third-party library TinyMCE that is bundled in REDCap. The library has been updated to the latest version. Note: This does not affect the latest Standard Release of REDCap.
Bug fix: Two-factor verification would mistakenly fail for users when the 6-digit 2FA code has a leading zero. (Ticket #218277)
Bug fix: When using Clinical Data Pull, the "View" link to view the adjudication popup would mistakenly not appear at the top of the data entry page after having opened the page the first time. (Ticket #218182)
Bug fix: When using Multi-Language Management, the project-level overrides of some admin settings would mistakenly get ignored.
Bug fix: When using Multi-Language Management, the comments at the top of CSV export files from the MLM page mistakenly had a comma hard-coded as the CSV delimiter, which could lead to the file not being importable when a delimiter other than comma was chosen and depending on the type of software used to edit the file.
Bug fix: The "Map of Users" page in the Control Center might mistakenly not call the "redcap_control_center" hook under specific circumstances. (Ticket #218502)
Bug fix: External Module language files were mistakenly being overwritten by the Language::getLanguage() method, leading to the loss of module-specific language keys. This problem manifested when the tt function, used for internationalization within EMs, was called, particularly affecting pages that utilized the redcap_control_center hook. (Ticket #218492)
Version 13.7.21 (released on 2023-11-02)
CHANGES IN THIS VERSION:
Bug fix: When using the @CALCDATE action tag in which the Daylight Saving Time barrier is crossed when calculating the resulting date, in specific cases the result might mistakenly be one day off (if a date field) or one hour off (if a datetime field). Similarly, when using the datediff() function in which one date/datetime exists in DST while the other does not, in some cases the result might be off by one hour when using units of "h", "m", or "s". (Ticket #32022, #73668, #103913, #126830, #129720, #137174, #215534, #216566)
Bug fix: Fixed an issue affecting the behavior of custom CDIS mapping in the Clinical Data Pull (CDP) mapping interface, in which custom CDIS mapping fields were incorrectly designated as 'primary,' thus preventing users from utilizing them as intended. (Ticket #217391)
Bug fix: The setting "Custom text to display at top of Project Home page" would mistakenly not display in the project if it did not contain actual text but only contained an image or an HTML “style” tag. (Ticket #217972)
Bug fix: In certain situations, the WebDAV file storage check on the Configuration Check page might mistakenly fail with a fatal PHP error. (Ticket #217684)
Bug fix: When attempting to save a calc or @CALCTEXT field in the Online Designer, in which the calculation contained a Smart Variable, it would prevent normal users from saving the field and would just get stuck saying "Saving...". However, administrators would be able to save the field successfully.
Bug fix: In certain situations while on a survey page, a participant might be able to submit a survey when they should not, such as if the Save button is hidden on the survey page. (Ticket #217159)
Bug fix: A user would be unable to close the field validation error popup (specifically in iOS or Android) when the field with the validation error is followed by a signature field. (Ticket #217572)
Bug fix: When exporting and importing Automated Survey Invitations using a CSV file in the Online Designer, the import process might fail with a blank error message due to an inconsistency in the CSV delimiter used in the file. (Ticket #217941)
Bug fix: When using Multi-Language Management, the choice labels of multiple choice fields would not be piped correctly in some cases if the choice labels contain HTML. (Ticket #217955)
Bug fix: Users would mistakenly be allowed to define Missing Data Codes where some of the codes could be duplicated in different cases (case sensitivity-wise). For example, "na" and "NA" would both be allowed as Missing Data Codes. Note: This issue cannot be fixed retroactively but will be prevented going forward when users attempt to create or modify Missing Data Codes on the Project Setup page. (Ticket #216818)
Version 13.7.20 (released on 2023-10-26)
CHANGES IN THIS VERSION:
Bug fix: An issue may occur with a CDIS-related cron job in which certain records are not processed due to MemoryMonitor interruptions, and thus records would mistakenly not get queued for future processing to pull their clinical data from the EHR. This fix ensures that these unprocessed records are correctly queued for the next execution of the cron job, preventing data loss and ensuring more robust processing.
Bug fix: When a user lacks the instrument-level user privilege to modify survey responses for a given instrument, then they open a data entry form that has been enabled as a survey, and before they submit the form, a survey response has already been started or completed by a participant, it would mistakenly allow the user to unwittingly overwrite the survey response when they submit the form. It now returns an error message in this specific scenario and prevents the user from making changes. (Ticket #217157)
Bug fix: When a user is assigned to a Data Access Group and views a project's Logging page when no records exist in their DAG yet, the Logging page might crash and display an error message saying that an SQL query failed. This appears to only occur for certain versions of MySQL/MariaDB. (Ticket #217372)
Bug fix: Certain tables, such as the Record Status Dashboard and reports, might mistakenly not display with the correct width based on the current screen size, in which the table may display its scroll bar off the right side of the page (i.e., initially not visible) instead of it being visible after the page loads.
Bug fix: If the MyCap External Module is enabled in a project, the built-in MyCap feature would mistakenly have its “Enable” button as a clickable button on the Project Setup page. That button is now disabled/grayed out if the MyCap EM is already enabled in a project.
Bug fix: When using CDIS, specifically Clinical Data Mart, an intermittent issue in CDM projects would occur where searches for specific Medical Record Numbers (MRNs) would occasionally return duplicate results. The fix ensures that each MRN appears only once in the search outcomes.
Bug fix: When using Multi-Language Management, the "only one selection per column" notice on matrix fields was mistakenly not translatable via the MLM setup page. (Ticket #217480)
Bug fix: When adding or editing a multiple choice field via the Online Designer, the text in the section "How do I manually code the choices?" mistakenly contained a line break in the text rather than actually displaying the HTML tag "
" as visible in the text.Bug fix: When an alert is set to trigger "When conditional logic is TRUE during a data import, data entry, or as the result of time-based logic", in which a data value from a repeating instrument or repeating event is added via a data import, if the repeat instance number is "1" for the field being imported (or if the value is "new" when no repeating instances exist yet for that field), the import process might mistakenly not trigger the alert. (Ticket #214855)
Bug fix: When a checkbox field has a multiple choice option whose raw code is the same as a missing data code in the project, the report page might mistakenly display the error "DataTables warning: table id=report_table - Incorrect column count" when trying to view a report that contains such a checkbox. (Ticket #217249)
Bug fix: When hovering over the “view list” link on the Alerts & Notifications page for a given alert, the popover dialog would mistakenly not be hidden again if the user moves their cursor off of the popover. To remedy this, the user must now click the “view list” link to see the popover, after which the popover will hide if manually closed or if the user clicks on anything outside of the popover on the page.
Bug Fix: When importing records that are assigned to a Data Access Group, in which records for other DAGs exist in the redcap_data table with a blank record name (due to an older bug that caused the name to be blank), this would mistakenly prevent the data import process from importing the records. (Ticket #217724)
Version 13.7.19 (released on 2023-10-19)
CHANGES IN THIS VERSION:
Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years. Note: This bug was supposedly fixed in the previous version but mistakenly was not.
Medium security fix: Malicious users might be able to bypass the "Restricted file types for uploaded files" feature (if being utilized on the REDCap server) by uploading a file with an incorrect file extension into the File Repository of a project, and then changing the file's extension using the "rename file" feature. For example, an attacker could take a file named "exploit.exe", rename it to "image.jpg" on their local device, upload the file into the File Repository, rename the file to "image.exe", and then trick another user into downloading it and executing it locally. Now, REDCap prevents users from modifying the file extension of any files uploaded into the File Repository. Note: The vulnerability does not pose a risk to the REDCap server since REDCap itself never executes any uploaded files, but this only poses a risk to users who may unwittingly download and execute the file. Also, the malicious user must have File Repository privileges inside a project in order to exploit this.
Minor security fix: When using Two-Factor Authentication, in which users are logging in and entering a 6-digit one-time passcode (OTP), there was no limit placed on the number of passcode submissions that can be attempted for a given user within a specific window of time. Thus, the passcode verification process was subject to brute force hacking (so long as the attempts did not exceed the general Rate Limiter setting in REDCap). This has been changed so that the passcode verification process cannot be utilized more than 10 times per minute. If exceeded, it will now return an error.
Major bug fix: When a survey participant clicks the "Save & Return Later" button on a survey, REDCap would mistakenly not always find the participant's email address (from a designated email field or from the participant list) when loading the page that displays the return code. In some cases, another participant might be sent an email containing the original participant's survey link for completing the survey. Note: Despite sending the survey link to the wrong participant, the other participant would not be able to see the original participant's responses because they do not have the Return Code. (Ticket #140765, #217097)
Bug fix: When using Multi-Language Management, a JavaScript error might occur when piping calculated fields under specific conditions.
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with an 445 area code. (Ticket #216751)
Bug fix: When using Multi-Language Management, the option to “Create from file/from scratch” would mistakenly not be available on the Control Center MLM setup page when the corresponding language creation was disabled for projects.
Bug fix: The language variable "design_1054" mistakenly existed twice in the file "English.ini".
Bug fix: If the settings "Allow normal users to edit their primary email address on their Profile page?" or "Allow normal users to edit their first name and last name..." are set to "Do not allow editing", a user that knows how to make a specially-crafted POST request to a specific end-point or knows how to manipulate the Profile page's user interface in a specific way would be able to modify their first/last name and/or email address, respectively.
Bug fix: When a user imports a Project XML file that is truncated (for whatever reason) and is thus does not represent properly structured XML, in some situations REDCap might still attempt to process the XML fully without any error message, which might result in some things not getting set correctly in the resulting project, possibly unbeknownst to the user. It now attempts to do a better job of detecting if the XML is properly structured, and if not, returns an error message explaining this.
Bug fix: When using "Azure AD OAuth2 & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of Azure AD. (Ticket #216423b)
Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 531 and 726. (Ticket #216751b)
Version 13.7.18 (released on 2023-10-11)
CHANGES IN THIS VERSION:
Major security fix: A Stored Cross-site Scripting (XSS) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into specific POST parameters of an Online Designer related URL so that the custom JavaScript could be injected into the calculations of calc fields, @CALCTEXT, and @CALCDATE fields. Thus the custom JavaScript could be executed whenever anyone opens the data entry form or survey page. This could lead to privilege escalation if a malicious user tricks an administrator into viewing the instrument, thus potentially becoming an administrator themselves and able to access all projects and data. The user must be authenticated into REDCap and must have Project Design rights in order to exploit this in a project. Bug exists in all REDCap versions for the past 10 years.
Medium security fix: A user with Calendar privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to edit or delete a calendar event in another project to which they do not have access.
Medium security fix: A user with Data Access Group privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point might be able to rename or delete a DAG in another project to which they do not have access.
Bug fix: When using Multi-Language Management, REDCap’s auto-logout feature would mistakenly not work on the MLM setup page in some circumstances. (Ticket #216234)
Bug fix: When printing an instrument via the option "Download this survey with saved data (via browser's Save as PDF)", a vertical line/shadow would mistakenly appear on the left side of the resulting PDF.
Bug fix: When using Multi-Language Management, a specific warning was mistakenly not translatable via the MLM setup page.
Bug fix: When using "OpenID Connect & Table-based" authentication, users clicking the "Logout" link in REDCap would mistakenly not be successfully logged out of OIDC. (Ticket #216423)
Bug fix: When using Multi-Language Management, “style” HTML tags that span over multiple lines would mistakenly not work as expected when MLM is active.
Version 13.7.17 (released on 2023-10-05)
CHANGES IN THIS VERSION:
Major bug fix: A user with “Alerts & Notifications” privileges in a given project that knows how to make a specially-crafted POST request to a specific end-point used for "Alerts & Notifications" functionality might be able to delete any general uploaded file that belongs to the project, whether it be an attachment uploaded via the rich text editor, a file uploaded to a File Upload field, a Descriptive Text field attachment etc. This user could potentially delete the stored edoc file for any of those such places in the project. However, it is important to note that the user can only delete files within their own project to which they have access. They cannot delete files in other projects to which they do not have access.
Major bug fix: If survey invitations have been scheduled manually (i.e., not via ASI) with one or more reminders, the unsent/scheduled reminders would mistakenly not be automatically removed whenever the participant completes the survey. (Ticket #203090)
Bug fix: The end-points used for deleting instruments and fields in a project were mistakenly using a GET request (rather than a POST request), which could make it easier for a user to get tricked into unwittingly deleting an instrument or field if a malicious user sent them a specially-crafted link to click. Such a situation would not cause any permanent damage (e.g. no data would ever be deleted), and it could be easily fixed by re-adding the instrument/field back.
Bug fix: When using a CDIS service (CDM or CDP) to pull data from an EHR, when dealing with date values used in the FHIR requests to the EHR system, some dates might mistakenly be converted to the current timezone. This has been fixed to ensure that the date conversion only occurs in the response received from the FHIR system.
Bug fix: When using the Protected Email Mode feature, in which an alert is set up with an attachment file and the alert is set not to send immediately but at some later time, after the alert is triggered and the email is sent, when the recipient views the email on the Protected Email Mode page, the attachment would mistakenly not be downloadable on the page but would display an error when attempting to be download it. (Ticket #212760)
Bug fix: The hook functions "redcap_survey_page_top" and "redcap_survey_page" might mistakenly be provided with an incorrect DAG group_id value for records that have not yet been created, such as when viewing the first page of a public survey. In these cases, it would provide the DAG group_id of record "1" in the project if there exists a record named "1" when instead the group_id should be NULL. (Ticket #215884)
Bug fix: The Unicode Transformation process might mistakenly not convert data in some database tables that have a "project_id" column in which the project_id value in the table is NULL. (Ticket #215615)
Bug fix: Several PHP 8 compatibility issues when using certain MyCap pages/processes.
Bug fix: The @NOW-SERVER action tag would mistakenly not set the correct value for many time-validated field types, such as a Text field with "time_hh_mm_ss" validation, whenever an instrument/survey is loaded. Instead, it might set the value as the user/participant's local time (according to their browser). (Ticket #216135)
Bug fix: When using Multi-Language Management, for Yes/No and True/False fields, "No"/"False" was mistakenly shown instead of their associated translation in some places (e.g., Codebook). (Ticket #216265)
Bug fix: Several different features in REDCap, in which an AJAX call returns JSON-encoded data, might get misinterpreted and thus would fail because the request failed to have the "Content-Type: application/json" header set. This would only occur for certain web server configurations. (Ticket #214401)
Version 13.7.16 (released on 2023-09-28)
CHANGES IN THIS VERSION:
Bug fix: When renaming a record, the record name would mistakenly not get renamed on the Email Logging page. This would not cause any issues other than the Email Logging saying that an email belongs to the wrong record. (Ticket #215100)
Bug fix: The Unicode Transformation process might mistakenly not display correct information regarding whether or not some specific steps in the process need to be completed.
Bug fix: The "field suggest" feature when using the Logic Editor was mistakenly no longer appearing as of REDCap 13.7.13 LTS and 13.9.3 Standard Release. (Ticket #215285)
Bug fix: When using the Clinical Data Mart design checker's "fixDesign" process, a fatal PHP error might occur in certain situations.
Bug fix: Some project pages might fail with a fatal PHP error when using PHP 8 due to the calling of an undefined PHP constant in the External Module Framework. (Ticket #215348)
Bug fix: When using Multi-Language Management, the "Access Denied!" a message that appears on data entry forms when a user has no access was mistakenly not a translatable element in MLM. (Ticket #215504)
Bug fix: In a MyCap-enabled project, slider labels (displayed above or next to the slider) were not displaying correctly in the MyCap config JSON and thus might cause issues in the MyCap mobile app.
Bug fix: When using the Data Resolution Workflow along with Data Access Groups in a project, if a user attempts to assign a data query to a user, in some situations the drop-down list of assignable users would mistakenly list users that are not currently eligible to be assigned to the data query because they are not currently assigned to the record's DAG. It should only list users that are currently in the record's DAG (or users not in any DAG) if the record itself is assigned to a DAG. (Ticket #213770)
Bug fix: When using CDIS, the SMART on FHIR authentication process was causing incorrect scope levels to be applied, specifically impacting Cerner users. The issue prevented the proper assignment of the "user" level during authentication, thus potentially leading to authorization errors.
Bug fix: The auto-fill form/survey feature for administrators might mistakenly fail for most/all time validated fields. (Ticket #215684)
Bug fix: When an [X-event-name] Smart Variable is prepended to a field variable (especially in combination with an [X-instance] Smart Variable) in logic, calculations, or piping, it might cause the evaluation of the logic/calc/piping not to be performed successfully. For example, for [previous-event-name][field], the direct previous event might be used when instead the previous designated event for that field's instrument should be used. (Ticket #214317, #213503)
Bug fix: If using an HTML "style" tag inside user-defined text (e.g., field label, survey instructions), the CSS styles inside the tags might mistakenly not work on the page if line breaks or carriage returns occur anywhere inside the opening and closing style tag. (Ticket #215693)
Version 13.7.15 (released on 2023-09-22)
CHANGES IN THIS VERSION:
Major bug fix: When using randomization while in production status, if a user is uploading a new allocation table to be appended to the existing production allocation table, in which the development allocation table happens to exactly match all the production allocations after the allocation upload has occurred, all the production allocations would mistakenly be erased, which would also remove the "randomized" status for any already randomized records. This is extremely rare, but is extremely destructive and difficult to restore back to its previous state.
Bug fix: When viewing the MyCap participant list, the Baseline Date might mistakenly be displayed in an incorrect date format.
Bug fix: A user that does not have Project Setup privileges in a project could potentially exploit a missing user rights check on the endpoints where field attributes are modified in the Online Designer by crafting special HTTP requests to those specific endpoints. This does not allow the user to do anything other than add new fields or edit the attributes of existing fields.
Bug fix: When viewing the Record Status Dashboard in certain cases when using PHP 8, the page might crash with a fatal PHP error. (Ticket #214370)
Bug fix: When users make API requests, the full API token was mistakenly being logged in the redcap_log_view table for each request. This is not typically an issue because such values in that table are not exportable via the front-end user interface but are only accessible via direct database access. However, if some institutions are sending the full export of their redcap_log_view table to their local security office, the logging of the API token in that table could be problematic. The API token will now be redacted in the redcap_log_view table. (Ticket #214322)
Bug fix: When users delete or regenerate their API token in a project, the value of the old token was mistakenly not being logged on the project's Logging page.
Bug fix: Fixed issue with the CDIS "Break the Glass" feature. When attempting to restore a serialized list of patients, an error is thrown due to the DateTime class not being listed within the "allowed_classes" parameter of the unserialize function. (Ticket #214670)
Bug fix: An administrator with only “Install, upgrade, and configure External Modules” admin privileges might not be able to view certain External Module pages or perform certain External Module operations, such as accessing the EM Manage page in the Control Center. (Ticket #214721, #214722)
Bug fix: An issue might occur when downloading a file from a File Upload field when REDCap is hosted on Google Cloud Platform due to the usage of an unnecessary project_id prefix for Google bucket file storage.
Bug fix: The notification for the Unicode Transformation process on the Configuration Check page might mistakenly not be displayed on the page anymore after step 2a of the process has been completed. It should not go away until all 4 of the steps are completed.
Bug fix: When attempting to access the "App Data Dumps" on the REDCap Mobile App page in a project, if any of the data dump files somehow can't be found in the file system (which would be unexpected), the page would crash with a fatal PHP error. From now on, it will merely skip any files in this situation. (Ticket #215007)
Bug fix: When date or datetime fields are piped into the choice label of a drop-down field, in which the date/datetime field has MDY or DMY date format and also exists on the same page as the drop-down field, the date/datetime values might not get piped in the correct format but may appear in the drop-down as a mangled date/datetime value.