ChurchCRM Reflected Cross-Site Scripting Vulnerability in GeoPage.php

A reflected Cross-Site Scripting (XSS) vulnerability has been identified in ChurchCRM versions through 7.0.5. The issue resides in GeoPage.php, where the CoordFileName POST parameter is directly reflected into an HTML attribute without proper output encoding. This vulnerability allows authenticated users to inject arbitrary JavaScript that executes automatically, without user interaction. As a result, an attacker could steal session cookies and take over the accounts of affected users, including administrators, by manipulating them into submitting a crafted form.

Impact

Exploitation of this vulnerability allows for reflected Cross-Site Scripting, where injected JavaScript executes in the context of the victim's browser. This could lead to session cookie theft and unauthorized account access, including administrative privileges.

Reproduction

To reproduce this vulnerability, authenticate as any user and navigate to the GeoPage. Fill the 'Coordinate database file name' input with a payload that includes JavaScript, such as an alert command, and submit the form. The injected script will execute automatically due to the 'autofocus' attribute, demonstrating the XSS vulnerability.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed. For those unable to upgrade, the XSS can be mitigated by manually escaping the CoordFileName parameter before it is output into the HTML.