ChurchCRM में PrintView.php के माध्यम से व्यक्ति गुणों में संग्रहीत क्रॉस-साइट स्क्रिप्टिंग (XSS) है
प्लेटफ़ॉर्म
php
घटक
churchcrm
में ठीक किया गया
7.0.1
A stored cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system. This flaw, present in versions prior to 7.0.0, allows authenticated users to inject malicious JavaScript code through dynamically assigned person properties. Exploitation can lead to session hijacking or complete account compromise, impacting the confidentiality and integrity of church data.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
The vulnerability resides within the Person Property Management subsystem of ChurchCRM. An attacker, once authenticated, can craft a malicious payload and inject it into a person's profile properties. This payload is then persistently stored and executed whenever other users view the affected profile or access its printable view. This persistent nature significantly amplifies the risk, as the attack isn't a one-time event but affects all subsequent views of the compromised profile. Successful exploitation could allow an attacker to steal session cookies, impersonate users, modify data, or even gain full control of affected accounts, potentially disrupting church operations and exposing sensitive member information.
शोषण संदर्भअनुवाद हो रहा है…
This vulnerability was publicly disclosed on 2026-04-07. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential impact suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability persists even in versions patched for CVE-2023-38766, highlighting the importance of thorough testing after applying security updates.
कौन जोखिम में हैअनुवाद हो रहा है…
Churches and organizations utilizing ChurchCRM, particularly those relying on the Person Property Management subsystem for storing and managing member information, are at risk. Shared hosting environments where multiple ChurchCRM instances reside on the same server could also be affected, as a successful exploit on one instance could potentially impact others.
पहचान के चरणअनुवाद हो रहा है…
• php: Examine ChurchCRM database for suspicious JavaScript code stored in person property fields. Use SELECT * FROM personproperties WHERE propertyvalue LIKE '%<script%'; to identify potential XSS payloads.
• generic web: Monitor access logs for requests containing unusual JavaScript code in URL parameters or POST data targeting the Person Property Management endpoints.
• generic web: Review ChurchCRM application logs for errors related to JavaScript execution or unexpected behavior in the Person Property Management subsystem.
हमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- बदला हुआ — हमला कमज़ोर घटक से परे अन्य प्रणालियों तक फैल सकता है।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- संशोधित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2026-35576 is to upgrade ChurchCRM to version 7.0.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Person Property Management subsystem. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize user-generated content to identify and remove any potentially malicious scripts.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice a la versión 7.0.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la forma en que se manejan las propiedades de la persona, evitando la inyección de código JavaScript malicioso en las vistas de perfil y en la impresión.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2026-35576 — XSS in ChurchCRM?
CVE-2026-35576 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 6.99.9, allowing authenticated users to inject malicious JavaScript code.
Am I affected by CVE-2026-35576 in ChurchCRM?
You are affected if you are using ChurchCRM versions 0.0.0 through 6.99.9 and have not upgraded to version 7.0.0.
How do I fix CVE-2026-35576 in ChurchCRM?
Upgrade ChurchCRM to version 7.0.0 or later. Implement input validation and output encoding as an interim measure.
Is CVE-2026-35576 being actively exploited?
While no public exploit is currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Where can I find the official ChurchCRM advisory for CVE-2026-35576?
Refer to the ChurchCRM website and security advisories for the latest information and official guidance regarding CVE-2026-35576.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।