Submeter #671103: ChurchCRM <= 5.18.0 Cross-Site Scripting (XSS)informação

TítuloChurchCRM <= 5.18.0 Cross-Site Scripting (XSS)
DescriçãoStored XSS vulnerability in ChurchCRM's Note Editor (NoteEditor.php) allows authenticated users to bypass existing XSS filters using a specific encoded payload technique with HTML attribute injection. The malicious JavaScript persists in the database and automatically executes when any user views the affected profile, enabling session hijacking of administrators, privilege escalation, and unauthorized access to sensitive church data. The same filter bypass technique affects multiple endpoints throughout the application, amplifying the attack surface.
Fonte⚠️ https://github.com/uartu0/advisories/blob/main/churchcrm-stored-xss-2025.md
Utilizador
 uartu0 (UID 90021)
Submissão08/10/2025 05h17 (há 7 meses)
Moderação18/10/2025 14h53 (10 days later)
EstadoDuplicado
Entrada VulDB227384 [ChurchCRM 4.5.3 NoteEditor.php Script de Site Cruzado]
Pontos0

VoltarVisão GeralPróximo

Want to stay up to date on a daily basis?

Enable the mail alert feature now!