CVE-2024-25895 in ChurchCRMinfo

Summary

by MITRE • 02/21/2024

A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 04/19/2025

The reflected cross-site scripting vulnerability identified as CVE-2024-25895 exists within ChurchCRM version 5.5.0 and represents a critical security flaw that enables remote attackers to execute malicious scripts within the context of affected user sessions. This vulnerability specifically targets the EventAttendance.php endpoint where the type parameter fails to properly sanitize user input, creating an avenue for attackers to inject arbitrary web scripts or HTML code that will be executed when other users view the affected page.

The technical nature of this flaw aligns with CWE-79 which defines cross-site scripting as a code injection vulnerability where malicious scripts are executed in the victim's browser. The vulnerability manifests when the application fails to validate or escape the type parameter before rendering it in the web page output, allowing an attacker to craft malicious payloads that exploit the lack of input sanitization. This reflected XSS variant means the malicious script is reflected off the web server rather than being stored, making it particularly dangerous for web applications that process user input directly in their responses.

The operational impact of this vulnerability extends beyond simple script execution, as it can enable attackers to perform a wide range of malicious activities including session hijacking, credential theft, and data exfiltration from authenticated users. An attacker could potentially craft payloads that steal session cookies, redirect users to malicious sites, or even modify the content displayed to users, thereby compromising the integrity of the application's user interface. Given that ChurchCRM is typically used by religious organizations and institutions that handle sensitive personal data, the potential for abuse is significant, particularly when considering that authenticated users may have access to confidential information about church members, donations, and personal records.

The attack vector for this vulnerability requires minimal prerequisites, as it only requires an attacker to convince a victim to click on a maliciously crafted link containing the XSS payload. This makes the vulnerability particularly dangerous in environments where users may be less security-aware or where the application is used in shared network environments. The reflected nature of the vulnerability means that the malicious script is executed in the victim's browser without requiring any server-side persistence, making detection and prevention more challenging for administrators who may not immediately realize that a user has been compromised.

Organizations utilizing ChurchCRM 5.5.0 should implement immediate mitigations including input validation and output encoding for all user-supplied parameters, particularly those used in dynamic content generation. The recommended approach involves implementing proper parameter sanitization that ensures all user input is validated against a strict whitelist of acceptable values or properly escaped before rendering in the browser context. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against XSS attacks by restricting the sources from which scripts can be executed within the application context. The vulnerability also highlights the importance of regular security updates and patch management processes, as this issue would likely be resolved in subsequent releases of the ChurchCRM platform through proper input validation mechanisms and adherence to secure coding practices that align with OWASP Top Ten recommendations for preventing XSS vulnerabilities.

Reservation

02/12/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00440

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!