ChurchCRM Stored Cross-Site Scripting Vulnerability in Profile Editing Functionality

A stored cross-site scripting vulnerability has been identified in ChurchCRM, an open-source church management system, prior to version 7.1.0. The issue resides in the person profile editing feature, where non-administrative users with the EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. The vulnerability exploits a 50-character limit by distributing the payload across all three fields, chaining their onfocus event handlers to execute in sequence. When any user, including administrators, views the affected profile, the injected script is executed, exfiltrating the viewer's session cookies to a remote server.

Impact

Exploitation of this vulnerability allows low-privilege users to hijack the session cookies of any user who views their profile, including administrators. This could lead to unauthorized actions being performed as an administrator.

Reproduction

To reproduce this vulnerability, log in as a non-administrative user with the EditSelf permission. Navigate to the profile editing section and inject a JavaScript payload into the Facebook, LinkedIn, and X fields. Due to the 50-character limit, the payload must be crafted to fit within this constraint, using all three fields to execute a script when the profile is viewed. Once the payload is saved, any user who views the profile will trigger the injected script, sending their session cookies to a remote server.

Remediation

Users are advised to update to ChurchCRM version 7.1.0 or later, where this vulnerability has been patched.