CVE-2024-25898 in ChurchCRM
Summary
by MITRE • 02/21/2024
A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/12/2025
The vulnerability CVE-2024-25898 represents a cross-site scripting flaw in ChurchCRM version 5.5.0 that specifically affects the event editing functionality. This issue resides within the EventEditor.php component where users can modify event details, creating an attack vector that allows malicious actors to inject persistent JavaScript or HTML code into the Event Sermon field. The vulnerability stems from inadequate input validation and output sanitization mechanisms that fail to properly escape or filter user-supplied content before rendering it within the web interface.
This XSS vulnerability falls under the CWE-79 category of Cross-Site Scripting, which is classified as a critical security weakness in web applications. The attack occurs when unfiltered user input is directly embedded into web pages without proper encoding or sanitization, allowing malicious scripts to execute in the context of other users' browsers. In the ChurchCRM context, this means that when administrators or users view event details, any malicious code injected into the sermon field will execute in their browsers, potentially leading to session hijacking, credential theft, or further exploitation of the web application.
The operational impact of this vulnerability extends beyond simple script execution as it can be leveraged for more sophisticated attacks within the ChurchCRM environment. An attacker could inject malicious scripts that steal session cookies, redirect users to phishing sites, or even execute commands on the server if additional vulnerabilities exist. The persistent nature of this flaw means that once malicious code is injected into the Event Sermon field, it will affect all users who view that event, making it particularly dangerous for organizations that rely on ChurchCRM for managing church activities and communications. This vulnerability directly maps to ATT&CK technique T1566.001 for initial access through malicious web content and T1059.007 for command and control through script injection.
Mitigation strategies for CVE-2024-25898 should focus on implementing proper input validation and output encoding mechanisms throughout the ChurchCRM application. The EventEditor.php component must sanitize all user inputs, particularly the Event Sermon field, by implementing HTML entity encoding or using secure output filtering libraries. Organizations should immediately upgrade to the latest version of ChurchCRM where this vulnerability has been patched, as version 5.5.0 appears to be vulnerable to this specific XSS attack vector. Additionally, implementing Content Security Policy headers can provide an additional layer of protection against script execution, while regular security audits of user input fields should be conducted to identify and remediate similar vulnerabilities across the application. The fix should include proper escaping of all dynamic content before rendering it in the web interface, ensuring that any user-supplied HTML or JavaScript is treated as data rather than executable code, thereby preventing unauthorized script execution in the context of authenticated users.