ChurchCRM Reflected Cross-Site Scripting Vulnerability in FindFundRaiser.php

A reflected cross-site scripting vulnerability has been identified in ChurchCRM versions prior to 7.1.0. The issue arises in the FindFundRaiser.php endpoint, where user-supplied input for the DateStart and DateEnd parameters is reflected into HTML input field attributes without proper output encoding. This flaw allows an authenticated attacker to craft a malicious URL that, when accessed by another authenticated user, executes arbitrary JavaScript. The vulnerability has been patched in version 7.1.0.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where an authenticated user can be targeted with a crafted link that executes scripts in the context of the application, potentially leading to unauthorized actions or exposure of sensitive data such as cookies.

Reproduction

To reproduce this vulnerability, an authenticated user must send a link containing a crafted DateStart parameter that includes JavaScript payloads. When another authenticated user clicks the link, the JavaScript executes, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later to address this vulnerability.