Bug exists in all REDCap versions for the past 10 years.
The user must be authenticated into REDCap in order to exploit this. Major security fix: A Reflected XSS (Cross-site Scripting) vulnerability was discovered on the 'Importing instrument from the REDCap Shared Library' page in which a malicious user could potentially exploit it by inserting custom JavaScript in a specially crafted way into input elements on the page.REDCap Change Log Version 14.1.4 (released on )