XSS réfléchi sur la page de connexion via le paramètre 'username'
Plateforme
php
Composant
churchcrm
Corrigé dans
7.1.1
CVE-2026-39344 describes a Reflected Cross-Site Scripting (XSS) vulnerability found in ChurchCRM versions prior to 7.1.0. This vulnerability allows attackers to inject malicious JavaScript code into the login page via the username parameter in the URL. Successful exploitation could result in the theft of sensitive user data, such as session cookies, or the presentation of a fake login form to harvest credentials.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of this XSS vulnerability is significant, as it can be exploited to compromise user accounts and potentially gain control of the ChurchCRM application. An attacker could craft a malicious URL containing JavaScript code and send it to a ChurchCRM user. When the user clicks the link, the JavaScript code will execute in their browser, allowing the attacker to steal their session cookie and impersonate them. Alternatively, the attacker could inject JavaScript code that replaces the legitimate login form with a fake one, tricking users into entering their credentials, which are then sent to the attacker. This could lead to unauthorized access to sensitive church data, including member information, financial records, and event details.
Contexte d'Exploitationtraduction en cours…
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting ChurchCRM. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation of reflected XSS vulnerabilities. The vulnerability is not currently listed on the CISA KEV catalog.
Qui Est à Risquetraduction en cours…
Churches and organizations utilizing ChurchCRM versions 0.0.0 through 7.0 are at risk. This includes deployments with limited security expertise and those relying on default configurations. Shared hosting environments where multiple ChurchCRM instances reside on the same server are particularly vulnerable, as a successful attack on one instance could potentially compromise others.
Étapes de Détectiontraduction en cours…
• php: Examine ChurchCRM application logs for suspicious URL parameters containing JavaScript code in the username field. Use grep to search for patterns like <script> or alert() within the logs.
grep -i '<script>.*alert\(.*\)' /var/log/apache2/access.log• generic web: Monitor access logs for requests to the login page with unusual or excessively long username parameters. Use curl to test the login page with a simple XSS payload and observe the response.
curl 'http://churchcrm.example.com/login.php?username=<script>alert("XSS")</script>' -sChronologie de l'Attaque
- Disclosure
disclosure
Renseignement sur les Menaces
Statut de l'Exploit
EPSS
0.04% (percentile 11%)
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Requise — la victime doit ouvrir un fichier, cliquer sur un lien ou visiter une page.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Aucun — aucun impact sur la disponibilité.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
- Modifiée
- EPSS mis à jour
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-39344 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary sanitization and encoding of the username parameter. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious JavaScript code in the username parameter. Additionally, carefully review and sanitize all user inputs within the ChurchCRM application to prevent similar vulnerabilities from arising. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the username parameter of the login URL and confirming that it is not executed.
Comment corrigertraduction en cours…
Actualice a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la falta de sanitización o codificación del parámetro 'username' en la página de inicio de sesión, evitando la inyección de scripts maliciosos.
Newsletter Sécurité CVE
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
Questions fréquentestraduction en cours…
What is CVE-2026-39344 — XSS in ChurchCRM?
CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject malicious JavaScript into the login page.
Am I affected by CVE-2026-39344 in ChurchCRM?
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to resolve the vulnerability.
How do I fix CVE-2026-39344 in ChurchCRM?
Upgrade ChurchCRM to version 7.1.0 or later. Consider implementing a WAF rule to filter malicious JavaScript in the username parameter as a temporary mitigation.
Is CVE-2026-39344 being actively exploited?
There is currently no indication of active exploitation campaigns, but public proof-of-concept code is likely to emerge.
Where can I find the official ChurchCRM advisory for CVE-2026-39344?
Refer to the ChurchCRM website and security advisories for the official announcement and details regarding this vulnerability.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.