ChurchCRM Privilege Escalation Vulnerability Allowing Stored Cross-Site Scripting

A privilege escalation vulnerability allowing stored Cross-Site Scripting (XSS) has been identified in ChurchCRM versions prior to 6.5.3. This vulnerability allows an authenticated user with mid-level permissions, specifically 'Edit Records' and 'Manage Properties and Classifications', to inject a persistent XSS payload into an administrator's profile. The injected payload executes when the administrator views their profile, potentially leading to session hijacking and full account takeover. The vulnerability arises from an Insecure Direct Object Reference (IDOR) that permits users to access any profile and a Broken Access Control flaw that enables modification of user properties without proper authorization checks.

Impact

Exploitation of this vulnerability allows for critical privilege escalation, enabling a user with specific permissions to gain full control over an administrator's account. This includes hijacking the admin's session and performing any administrative actions, such as creating new admin accounts or deleting data. Additionally, this access could be combined with other vulnerabilities to achieve complete server compromise.

Reproduction

To reproduce this vulnerability, log in as a user with 'Edit Records' and 'Manage Properties and Classifications' permissions. Navigate to an administrator's profile page using the Insecure Direct Object Reference vulnerability, which allows access to any user's profile without authorization checks. Once on the profile page, use the 'Assign a New Property' form to inject a Cross-Site Scripting payload, such as an image tag with an event handler, into a text-based property. After assigning the property, the payload will be executed when the administrator views their profile, demonstrating the session hijacking and account takeover.

Remediation

Users are advised to update ChurchCRM to version 6.5.3 or later, where this vulnerability has been fixed.