ChurchCRM Cross-Site Scripting Vulnerability in Event Editing Component

A cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system, in versions prior to 7.1.0. The issue arises in the event editing feature, specifically within the 'EditEventAttendees.php' file. The vulnerability allows attacker-supplied input, particularly through the 'EName' and 'EDesc' parameters, to be injected and rendered on the page without proper output encoding. This lack of encoding enables the execution of arbitrary JavaScript in the browsers of users viewing the affected page.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where injected scripts are executed in the context of the user's browser.

Reproduction

To reproduce this vulnerability, send a POST request to 'EditEventAttendees.php' with the 'EName' and 'EDesc' parameters containing unescaped JavaScript, such as a script tag with JavaScript code. The injected script will be executed when the page is viewed.

Remediation

Users can upgrade to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed.