Upgrade Version 14.0.34 Change Log

Owned by Christopher Sorensen
Last updated: Aug 21, 2024
10 min read

WashU REDCap Upgraded to this version on 2024-08-01

Version 14.0.34 (released on 2024-07-11)

CHANGES IN THIS VERSION:

  • Bug fix: The MyCap Participant Management page mistakenly displays all participants when there are no records in the user's DAG. (Ticket #233473)

  • Bug fix: When performing piping in a repeating instance context, the wrong repeating instance might mistakenly be assumed in certain situations when no data is saved yet. (Ticket #234557)

  • Bug fix: When exporting the results of a Data Quality rule that returns more than 10,000 discrepancies, the resulting CSV file would mistakenly only include 10,000 results instead of all the results. (Ticket #229449b)

  • Bug fix: If conditional logic, branching logic, or calculations are being evaluated by server-side processes when submitting a survey page (e.g., alerts, ASIs), in which the logic/calc contains one or more [aggregate-X] Smart Variables, the logic/calc might mistakenly not get evaluated correctly and thus might behave unexpectedly. (Ticket #233984)

  • Bug fix: When viewing the "View Task Details (all)" dialog in the Online Designer for MyCap-enabled projects, "Invalid Format" would mistakenly be displayed for MyCap tasks created from PROMIS measures.

  • Bug fix: The email sent to the survey participant after clicking the "Save & Return Later" button on a survey might mistakenly appear to be missing the main survey link back to the survey if the survey has no survey title defined (i.e., the title was left blank). (Ticket #234831)

  • Bug fix: When fields in a calculated field are being added together using plus signs (e.g., [field1] [field2]), as opposed to using the "sum" function, the field values might mistakenly get concatenated/joined together as text instead of being added together mathematically. Bug emerged in REDCap 14.0.32 LTS and 14.4.0 Standard Release. (Ticket #234858)

  • Bug fix: In a MyCap-enabled project that is in production status, if a user rejects their current drafted changes, any forms added while in draft mode would appropriately be deleted from the drafted changes; however any MyCap tasks created for those drafted forms would mistakenly remain in the backend database, which could then cause issues later.

  • Bug fix: When using an "X & Table-based" authentication, and a Table-based user clicks the "Reset password" button on their Profile page, it might mistakenly not actually trigger the password reset process. (Ticket #234884)

Version 14.0.33 (released on 2024-07-03)

CHANGES IN THIS VERSION:

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the record name when creating a new Calendar event on the Calendar page, specifically in the Calendar popup. This vulnerability can be exploited by authenticated users only. Bug exists in all REDCap versions.

  • Medium security fixes: Several access control vulnerabilities were discovered in REDCap Messenger in which a malicious user could potentially exploit them by sending specially crafted HTTP requests that would allow them to perform the following actions: read and export any conversation in the system, add a message to any conversation, add themselves as a conversation leader on any conversation, upload a file to any conversation, and export a list of all users of a conversation. Bug exists in REDCap 7.4.0 and later.

  • Medium security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into the contents of a file that is uploaded via the API and then downloaded via the API using various file import/export API methods. This vulnerability can be exploited only by users that possess a REDCap API token. Bug exists in all REDCap versions.

  • Bug fix: When taking a survey, malicious survey participants could possibly alter the "start time" of their response by carefully manipulating hidden elements on the first page of a survey. Note: This does not affect the security of the survey but might affect data quality.

  • Bug fix: Fixed several PHP 8 related errors. (Ticket #233266)

  • Bug fix: Some PHP errors might mistakenly occur when using Azure Blob Storage when performing certain tasks. (Ticket #234248)

  • Bug fix: When a participant is attempting to enter data for a biomedical ontology field while on a survey page, the ontology field would not function correctly and would not fetch any values from the BioPortal web service. This issue occurs on survey pages only. Bug emerged in the previous version.

  • Bug fix: When using Twilio or Mosio, it would mistakenly not send SMS messages to U.S. phone numbers with certain newer area codes, including 787 and 939. (Ticket #234300)

  • Bug fix: When using Clinical Data Pull for CDIS, a JavaScript error might occur when adding a patient to a project in the "Launch from EHR" process, thus preventing the patient from being added. (Ticket #234249)

  • Bug fix: A fatal PHP 8 error might occur in a specific situation when a participant is taking an adaptive or auto-scoring instrument (i.e., a PROMIS assessment) from the REDCap Shared Library. (Ticket #234346)

  • Bug fix: When viewing a public report that contains the record ID field, if the Secondary Unique Field has been defined in the project and has also been tagged as an identifier field, then the public report would mistakenly not display and would output an error message even if the setting "Display the value of the Secondary Unique Field next to each record name displayed?" is disabled. (Ticket #234403)

  • Bug fix: When a field is embedded in a checkbox or radio field's choice label while that checkbox/radio field is also piped somewhere on the current page, the value of the embedded field might mistakenly not get saved correctly when a user modifies it and saves the page. (Ticket #233917b)

Version 14.0.32 (released on 2024-06-27)

CHANGES IN THIS VERSION:

  • Bug fix: Resolved an issue with the link to the Mapping Helper in the CDIS panel menu. (Ticket #226611)

  • Bug fix: When using Multi-Language Management, a text string shown in partial survey completion emails when there is no survey title was mistakenly not available for translation. (Ticket #233149)

  • Bug fix: In specific scenarios when viewing MDY or DMY formatted date fields on a report, the date values might mistakenly appear mangled on the page. (Ticket #211780)

  • Bug fix: When using Multi-Language Management, the MLM setup page would fail to load in projects that have not yet set up any languages. Bug emerged in the previous release. (Ticket #233304)

  • Bug fix: In some very specific situations, a @CALCTEXT action tag that contains a plus sign (" ") character might produce an unexpected result. (Ticket #233189)

  • Bug fix: A rare issue might occur when non-checkbox fields from a repeating instrument or repeating event are referenced inside branching logic or calculated fields. (Ticket #233509)

  • Bug fix: Fixed several PHP 8 related errors. (Ticket #233266)

  • Bug fix: If the Send-It feature has been disabled at the system level, the "Share" dialog for files stored in the File Repository would mistakenly still display an option to share the file using Send-It. (Ticket #233493)

  • Bug fix: When clicking the "Add new template" button on the Project Template page in the Control Center, the popup might time out and never be displayed if tens of thousands of projects exist in the system. To prevent this, an auto-complete drop-down will replace the regular drop-down when more than 5000 projects exist. (Ticket #233451)

  • Bug fix: When using Twilio, in which one or more Twilio voice call options are enabled in the project, the voice call options would mistakenly not be displayed in any drop-downs listing all the enabled delivery preferences. Bug emerged in REDCap 13.4.0. (Ticket #233599)

  • Bug fix: When the HTML tags "iframe" or "embed" are added to any user input that is then output on a page in REDCap (e.g., field labels, survey instructions), any text or tags that occur after the iframe/embed tags would mistakenly be removed along with the iframe/embed tags themselves, thus truncating the text. Note: iframe/embed tags are not allowed and are always removed for security purposes.

  • Bug fix: When using Clinical Data Pull for CDIS, the process of fetching data from the EHR might fail with a fatal PHP error when using PHP 7.3 or 7.4. (Ticket #228374)

  • Bug fix: The month and year drop-downs inside the datetime pickers for the "start time" and "end time" filters on the Logging page would not work and would mistakenly not change the start/end times after a new option was selected for those drop-downs. (Ticket #233815)

  • Bug fix: The documentation for the "Export Users" API method would mistakenly make mention of the "Read Only" rights for the "User Rights" privilege when the "Read Only" option for the "User Rights" privilege does not exist in the current LTS but in the latest Standard Release. This text has been edited to remove reference to that feature that does not exist in LTS yet. (Ticket #233936)

  • Bug fix: When a user has "read-only" data viewing access to an instrument that contains a biomedical ontology field, the ontology field would appear to be editable on the page, despite the fact that the user is not able to submit the page or modify the field's saved value. (Ticket #233940)

  • Bug fix: Under certain circumstances where quote characters are next to equal signs, CALCTEXT expressions might not be parsed correctly and thus might produce a JavaScript error. (Ticket #233927)

  • Bug fix: Embedded fields might mistakenly get hidden when also piped on the same form under very specific circumstances. (Ticket #233917)

  • Bug fix: When exporting the Participant List via CSV on the Participant List page, some columns might mistakenly have the wrong header labels in the CSV file. (Ticket #233958)

  • Bug fix: When viewing the "Stats & Charts" page for a report in a longitudinal project, in which a user clicks the link for the "Missing" column for a given field after having selected the Live Filter of an event that contains data for a repeating instrument (although not for the field in question), the "missing values" list of records that is returned after clicking the "Missing" link might mistakenly display extra values that are not applicable. (Ticket #232841)

  • Bug fix: When creating a new alert on the Alerts & Notifications page, in which the Twilio, Mosio, and Sendgrid services for alerts have been disabled at the system level, the "Email to send email-failure errors" setting would mistakenly not be displayed after clicking the "Show more options" link in the "Create new alert" dialog. (Ticket #233629)

Version 14.0.31 (released on 2024-06-13)

CHANGES IN THIS VERSION:

  • Major security fix: A Stored XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into any user input that is then output on a page in REDCap (e.g., field labels, survey instructions, data displayed on a report). This vulnerability can be exploited by authenticated users and also by survey participants entering data. Bug exists in all REDCap versions.

  • Medium security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered in which a malicious user could potentially exploit it by inserting custom HTML and JavaScript in a specially crafted way into a specific API parameter's value that is used in several file-related and survey-related API methods. This vulnerability can be exploited only by users with a valid API token. Bug exists in all REDCap versions.

  • Bug fix: Embedding required fields into matrix groups hidden by branching logic would cause the page to crash, preventing it from being saved. (Ticket #232140)

  • Bug fix: When importing data via the Background Data Import process in a MyCap enabled project, it might mistakenly create duplicate entries for the same record in the MyCap Participant List. (Ticket #229177)

  • Bug fix: When a calculated field is using a datetime field inside a datediff() function while also using "today" as a parameter (as opposed to using “now”), it might result in an incorrect calculated result on the page (although the server-side calculation process would typically correct this). (Ticket #231434)

  • Bug fix: The MyCap API call "getStudyFile" was not returning any file contents for the requested file.

  • Bug fix: When using right-to-left languages in Multi-Language Management, the email content for translated ASIs or Alerts would mistakenly not appear in the user’s/participant’s email client as right-to-left. (Ticket #232158)

  • Bug fix: When using the datetime picker on datetime fields, in which the field already has a value, clicking on the time sliders in the datetime picker would mistakenly cause the picker to close immediately. Bug emerged in the previous version. (Ticket #232350)

  • Bug fix: When exporting data via the Export Records API method in EAV format, in which the "fields" parameter is not provided, the API would mistakenly not return data for all project fields in the output of the API request but might instead only return the record ID field and (if the API parameter DataAccessGroups=false) the __GROUPID__  field. (Ticket #232249)

  • Bug fix: Too many unnecessary database queries would mistakenly be executed during the Background Data Import process.

  • Bug fix: When importing data for a repeating instrument, in which one of the fields on the repeating instrument is the Secondary Unique Field, in certain situations REDCap might mistakenly return an error and prevent the import process from occurring. (Ticket #229881)

  • Bug fix: If the Survey Base URL setting has been defined on the General Configuration page in the Control Center, any images that are uploaded using the rich text editor to a field label, survey instructions, etc. might not be viewable when viewing them on the survey page. (Ticket #231843)

  • Bug fix: If a date, time, or datetime validated field was embedded inside the choice label of a radio or checkbox field, the width of the date/time/datetime field would mistakenly be too wide. (Ticket #232271)

  • Bug fix: If alerts have been set up with an Alert Type of "SMS" or "Voice Call", the log entry on the Logging page for each alert sent would mistakenly be missing the recipients' phone numbers.

  • Bug fix: When using the Clinical Data Mart feature for CDIS, users not having Data Mart privileges might mistakenly be able to access a Data Mart page. (Ticket #232792)

  • Bug fix: When using WebDAV for file storage in REDCap, the Configuration Check page might mistakenly not display the WebDAV path on the page in one of the checks but would instead just display two double quotes where the path should be displayed.

  • Bug fix: The “Administrator?” column in the “View User List by Criteria” table on the Browse Users page in the Control Center was mistakenly never updated when granular Admin Privileges were introduced to REDCap. That column currently only denotes if the user has “Access to all projects and data” privileges when it should instead display a checkmark if the user has at least one of the seven possible admin rights. (Ticket #232602)

  • Bug fix: When executing a custom Data Quality rule in a longitudinal project, in which the rule's logic references a field with a blank/null value (e.g., [field]=""), the rule would mistakenly not return results from events that contain no data. (Ticket #231374)

  • Bug fix: When using Multi-Language Management, "Download PDF" buttons for each language on the MLM setup page were mistakenly disabled when the project is in production mode. (Ticket #232952)

  • Bug fix: When using Multi-Language Management, the survey queue page, when called directly, would mistakenly not take the language preference field into account. (Ticket #233093)