| Title | ChurchCRM 5.15.0 Cross Site Scripting |
|---|
| Description | Vendor was contacted via GitHub advisory on March 12th but has not responded in any way.
The advisory reports a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM v5.16.0, specifically in the Group Editor. Authenticated users with permission to create groups can inject malicious JavaScript into the Group Name field. This payload is later executed when viewing pages like "View Active People", enabling potential attacks such as session hijacking or defacement. The issue stems from improper output encoding of user-supplied input. |
|---|
| Source | ⚠️ https://everydaysparkling.com/p/b4afe675-b7fb-4cf8-be90-e443ffddc0b6/ |
|---|
| User | Jelle Janssens (UID 81048) |
|---|
| Submission | 04/10/2025 15:29 (1 Year ago) |
|---|
| Moderation | 04/26/2025 08:45 (16 days later) |
|---|
| Status | Duplicate |
|---|
| VulDB entry | 223276 [ChurchCRM 4.5.3 Edit Group cross site scripting] |
|---|
| Points | 0 |
|---|