ChurchCRM Reflected Cross-Site Scripting Vulnerability in EditEventAttendees.php Allowing Session Hijacking

A reflected cross-site scripting vulnerability has been identified in ChurchCRM version 5.13.0, specifically on the EditEventAttendees.php page. This issue allows an attacker with administrative privileges to execute arbitrary JavaScript in the context of a victim's browser, targeting the EID parameter. The exploitation of this vulnerability could lead to session hijacking, as attackers can steal session cookies, impersonate users, and gain unauthorized access to the application.

Impact

Exploitation of this vulnerability allows for session hijacking, where an attacker can steal session cookies to gain unauthorized access to the application. Additionally, the attacker can execute arbitrary JavaScript within the context of the victim's session, potentially leading to further exploitation or unauthorized actions on behalf of the user.

Reproduction

To reproduce this vulnerability, navigate to the EditEventAttendees.php page and inject a script into the EID parameter. Once the request is submitted, the injected script will execute, displaying an alert with the session cookie. This stolen cookie can then be used to hijack the user's session.

Remediation

To address this vulnerability, ChurchCRM should implement output encoding to neutralize script injections in user-controlled parameters. Additionally, a Content Security Policy (CSP) should be used to restrict JavaScript execution from untrusted sources. All cookies should be set with HttpOnly and Secure flags to prevent client-side access. Finally, input validation and sanitization should be performed before rendering user-controlled data in the response.