ChurchCRM Stored Cross-Site Scripting Vulnerability in Calendar Events Allowing Account Takeover

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 6.7.2. This issue occurs in the 'Create Events' feature within the Church Calendar. Low-privilege users can inject XSS payloads into the Description field, which are then stored in the database. When other users, including administrators, view the event, the payload is executed, potentially leading to session hijacking and account takeover.

Impact

Exploitation of this vulnerability allows for session hijacking and account takeover, as the injected XSS payload can be used to steal cookies from the user viewing the event.

Reproduction

To reproduce this vulnerability, log in as a low-privilege user and create a new event in the Church Calendar. Intercept the request using Burp Suite and inject an XSS payload into the Description field. Once the event is saved, the payload will be executed when the event is viewed by any user, including admins.

Remediation

Users can update to ChurchCRM version 6.7.2 or later, where this vulnerability has been fixed.