Plattform
php
Komponente
churchcrm
Behoben in
7.1.1
A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 0.0.0 through 7.0. This flaw, located in the PersonView.php file, arises from inadequate sanitization of user-supplied data. An authenticated user possessing the EditRecords role can exploit this vulnerability by injecting malicious JavaScript into a person's Facebook field, which then executes when other users, including administrators, view the profile.
Successful exploitation of CVE-2026-35534 allows an attacker to execute arbitrary JavaScript code within the context of another user's browser session. This can lead to various malicious outcomes, including session hijacking, credential theft (e.g., stealing login cookies), and defacement of the ChurchCRM interface. The impact is particularly severe for administrators, as their accounts could be compromised, granting the attacker full control over the ChurchCRM system and potentially sensitive church data. The ability to inject JavaScript into a user's profile makes this a persistent threat, as any user viewing the compromised profile will be affected.
CVE-2026-35534 was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing, but the vulnerability's nature makes it likely that a POC will emerge. The EPSS score is likely to be medium, given the requirement for authenticated access and the potential impact. It is not currently listed on the CISA KEV catalog.
Churches and organizations using ChurchCRM versions 0.0.0 through 7.0 are at risk. This includes smaller churches relying on open-source solutions and organizations with limited security resources. Shared hosting environments where multiple ChurchCRM instances reside on the same server are particularly vulnerable, as a compromise of one instance could potentially impact others.
• php: Examine ChurchCRM's PersonView.php file for instances of sanitizeText() being used to sanitize HTML attributes. Search for suspicious JavaScript code within the Facebook field data.
• generic web: Monitor access logs for requests to PersonView.php with unusual parameters or POST data. Look for patterns indicative of XSS attempts.
• generic web: Use a WAF to detect and block XSS payloads targeting the Facebook field. Configure rules to identify and block requests containing suspicious JavaScript code.
• generic web: Review user profiles for unexpected or malicious content in the Facebook field.
disclosure
Exploit-Status
EPSS
0.03% (9% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-35534 is to upgrade ChurchCRM to version 7.1.0 or later, which contains the fix for this vulnerability. If upgrading immediately is not feasible, consider implementing temporary workarounds. While a direct WAF rule is difficult due to the nature of stored XSS, carefully review and restrict the allowed characters in the Facebook field. Input validation on the server-side, beyond the existing sanitizeText() function, is crucial. Ensure that all user input is properly encoded before being displayed in HTML attributes. After upgrading, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload into a person's Facebook field and verifying that it does not execute when the profile is viewed.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige el problema al sanear correctamente los atributos HTML, evitando la inyección de JavaScript malicioso en el campo Facebook.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-35534 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing authenticated users to inject malicious JavaScript.
If you are using ChurchCRM version 7.0 or earlier, you are potentially affected by this vulnerability. Upgrade to version 7.1.0 or later to mitigate the risk.
The recommended fix is to upgrade ChurchCRM to version 7.1.0 or later. If an upgrade is not immediately possible, implement input validation and output encoding as a temporary workaround.
While no public exploits are currently known, the vulnerability's ease of exploitation suggests a potential risk of exploitation.
Refer to the official ChurchCRM website and security advisories for the latest information and updates regarding CVE-2026-35534.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.