ChurchCRM Stored Cross-Site Scripting Vulnerability in Note Editor

A stored Cross-Site Scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system, prior to version 6.5.3. This vulnerability allows authenticated users with permission to add notes to execute arbitrary JavaScript in the context of other users' browsers, including administrators. The issue arises because the Note Editor does not properly sanitize user input before storing it, enabling the execution of malicious scripts when the notes are viewed. The vulnerability could lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data.

Impact

Exploitation of this vulnerability allows for stored Cross-Site Scripting, where injected JavaScript is executed in the context of users viewing the affected notes. This could result in session hijacking, especially of administrator accounts, allowing attackers to access sensitive church member information and potentially escalate privileges.

Reproduction

To reproduce this vulnerability, log into ChurchCRM with an account that has note-adding permissions. Navigate to a person's profile and open the Note Editor. Enter a JavaScript payload, such as one that exploits an image tag's 'onerror' attribute, into the note field. After saving the note, the payload will execute automatically when the note is viewed by any user, including administrators.

Remediation

Users should update to ChurchCRM version 6.5.3 or later, where this vulnerability has been fixed.