ChurchCRM Stored Cross-Site Scripting Vulnerability in Group Management

A stored cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 6.8.2. This issue allows an authenticated user with permission to edit groups to inject a JavaScript payload. The injected script executes when the group is viewed in the Group View. The vulnerability arises because, while role names are initially sanitized, they can be renamed to include JavaScript, which is then executed upon viewing the group.

Impact

Exploitation of this vulnerability allows for the execution of injected JavaScript payloads when the group is viewed, creating a cross-site scripting risk. Additionally, the authentication cookie lacks secure flags, leaving accounts vulnerable to takeover.

Reproduction

To reproduce this vulnerability, an authenticated user with group editing permissions can create a new group role. After adding the role, the user can rename it to include a JavaScript payload, such as a script tag with an alert command. Once the payload is injected, refreshing the page will trigger the execution of the script, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to ChurchCRM version 6.8.2 or later to address this vulnerability.