Plattform
php
Komponente
crm
Behoben in
5.13.1
CVE-2025-1024 addresses a Cross-Site Scripting (XSS) vulnerability identified in ChurchCRM versions 5.13.0 and earlier. An attacker can exploit this flaw to execute arbitrary JavaScript in a victim's browser by crafting malicious input within the EditEventAttendees.php page, specifically targeting the EID parameter. This vulnerability requires Administration privileges and affects users of the application.
Successful exploitation of this XSS vulnerability allows an attacker to inject malicious JavaScript code into the ChurchCRM application. This code can then be executed in the context of an authenticated user's browser, potentially allowing the attacker to steal session cookies, perform actions on behalf of the user, and gain unauthorized access to sensitive data. The impact can range from defacement of the application to complete account takeover, depending on the attacker's objectives and the privileges of the targeted user. The blast radius extends to all users with administrative privileges.
CVE-2025-1024 is not currently tracked on KEV or EPSS. The CVSS score is pending evaluation. No public Proof-of-Concept (POC) exploits are currently known. Published on 2025-02-19.
Organizations utilizing ChurchCRM, particularly those with administrative users who may be targeted by social engineering attacks, are at risk. Shared hosting environments where multiple ChurchCRM instances reside on the same server could potentially expose multiple organizations to this vulnerability if one instance is compromised.
• php: Examine access logs for suspicious requests to EditEventAttendees.php containing unusual characters or JavaScript code in the EID parameter. Look for patterns like <script> or javascript:.
grep -i 'script|javascript' /var/log/apache2/access.log | grep EditEventAttendees.php• generic web: Use curl to test the EditEventAttendees.php endpoint with a simple XSS payload (e.g., <script>alert('XSS')</script>) in the EID parameter and observe the response for signs of script execution.
curl 'http://your-churchcrm-instance/EditEventAttendees.php?EID=<script>alert("XSS")</script>' -sdisclosure
Exploit-Status
EPSS
0.16% (37% Perzentil)
CISA SSVC
The recommended mitigation is to upgrade ChurchCRM to version 5.13.1 or later, which includes the fix for this vulnerability. As a temporary workaround, implement strict input validation and sanitization on all user-supplied data, particularly the EID parameter in the EditEventAttendees.php page. Consider using a Content Security Policy (CSP) to restrict the execution of inline scripts and limit the potential impact of XSS attacks. After upgrading, verify the fix by attempting to inject a simple JavaScript payload and confirming that it is properly sanitized.
Actualice ChurchCRM a una versión posterior a la 5.13.0 para corregir la vulnerabilidad XSS. Esto evitará que atacantes ejecuten scripts maliciosos en el navegador de los usuarios y roben sus sesiones. Consulte el registro de cambios de ChurchCRM para obtener detalles sobre la versión corregida.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-1024 is a Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 5.13.0 and earlier, allowing attackers to inject JavaScript code.
You are affected if you are running ChurchCRM version 5.13.0 or an earlier version. Upgrade to 5.13.1 or later to mitigate the risk.
Upgrade ChurchCRM to version 5.13.1 or later. As a temporary workaround, implement strict input validation on the EID parameter.
While no active exploitation has been confirmed, the vulnerability's nature makes it likely that exploitation attempts may occur.
Refer to the ChurchCRM security advisories page for the latest information and updates regarding CVE-2025-1024.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.