ChurchCRM Plaintext Password Exposure Vulnerability

A vulnerability in ChurchCRM versions prior to 6.5.0 allows the application to return plaintext passwords in HTTP responses. This issue, which affects any workflow that processes user passwords, significantly increases the risk of credential theft and could exacerbate the effects of other vulnerabilities, such as cross-site scripting, insecure direct object references, and session fixation. The exposed passwords can be captured through network intercepts, browser history, or client-side logs, and may be reflected in pages vulnerable to cross-site scripting, according to the advisory.

Impact

The vulnerability leads to unauthorized password exposure, allowing for credential harvesting. This could result in account takeovers, especially if users reuse passwords across different services.

Reproduction

To reproduce this vulnerability, submit a password through a form that processes user input, such as during registration or password reset. The application will respond by echoing the password in plaintext, which can be observed in the response body, such as in a JSON payload or HTML source.

Remediation

Users can update to ChurchCRM version 6.5.0 or later, where this vulnerability has been fixed.