ChurchCRM Stored Cross-Site Scripting Vulnerability in System Settings JSON Handling

A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions prior to 7.0.2. The issue allows an admin user to inject a JavaScript payload into JSON-type system settings. This payload is executed when any admin views the system settings. The vulnerability arises because the JSON input is not properly sanitized or escaped in 'SystemSettings.php', leaving it vulnerable to XSS attacks. Additionally, the exploitation of this vulnerability can disrupt the functionality of the JSON input settings, causing issues with related application features.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected JavaScript is executed in the context of the admin user. This could lead to session hijacking by stealing cookies, particularly if the injected script is crafted to send cookie data to an external server. Furthermore, the attack could disrupt the management of JSON-type settings, as the injected payload would cause parsing errors, preventing other admins from editing those settings through the web interface.

Reproduction

To reproduce this vulnerability, log in as an admin user and navigate to the System Settings page. Open the Network tab in the web developer tools and locate a JSON-type setting, such as 'sQBDTSettings'. Inject a JavaScript payload, like a script tag containing JavaScript code, into the setting via a POST request to 'SystemSettings.php'. After saving the setting, refresh the System Settings page to execute the injected script, demonstrating the XSS vulnerability. Note that the injected payload will disrupt normal JSON input handling, causing parsing errors that affect the usability of the setting.

Remediation

Users are advised to update to ChurchCRM version 7.0.2 or later, where this vulnerability has been fixed.