ChurchCRM Stored Cross-Site Scripting Vulnerability Allowing Session Theft and Account Takeover

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 6.0.0. The application fails to properly sanitize or encode user-supplied HTML and JavaScript, allowing attacker-controlled scripts to execute in the browsers of users who view the content. This vulnerability can access web origin data and perform actions on behalf of the victim. If session cookies are not marked as HttpOnly, the malicious script can read the document.cookie, leading to session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows for session hijacking and account takeover by stealing session tokens or using the victim's session to perform state-changing actions. If an admin or moderator's account is compromised, it could lead to a full application takeover. Additionally, the vulnerability could be exploited to read or modify user data, change account settings, initiate transactions, or add backdoor admin accounts.

Reproduction

To reproduce this vulnerability, add a new menu item that includes unescaped HTML or JavaScript. Once the payload is stored, it will execute automatically when the menu is viewed, alerting the session cookie if the exploitation is successful.

Remediation

Users can upgrade to ChurchCRM version 6.0.0 or later, where this vulnerability has been patched.