ChurchCRM Stored Cross-Site Scripting Vulnerability in Group Role Names Allowing Session Hijacking

A stored cross-site scripting vulnerability has been identified in ChurchCRM, an open-source church management system, affecting versions through 6.4.0. This vulnerability allows low-privilege users with the 'Manage Groups' permission to inject persistent JavaScript into group role names. The injected script is executed whenever any user, including administrators, views a page displaying that role, such as GroupView.php or PersonView.php. This exploitation leads to full session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, full session hijacking of administrators, and unauthorized privilege escalation from a low-permission user to a full system admin.

Reproduction

To reproduce this vulnerability, log in as a user with 'Manage Groups' permission. Navigate to the 'Group Roles' section and edit or create a role. Inject a script payload into the role name, such as a fetch request for your cookies, and save the role. Then, assign this role to an administrator. When the admin views their profile or the group view page, the injected script will execute, hijacking the session.