ChurchCRM में व्यक्ति प्रोफाइल - एक नोट जोड़ें में संग्रहीत XSS है
प्लेटफ़ॉर्म
php
घटक
churchcrm
में ठीक किया गया
6.5.4
CVE-2026-35574 describes a stored Cross-Site Scripting (XSS) vulnerability within ChurchCRM, an open-source church management system. This vulnerability allows authenticated users with note-adding permissions to inject malicious JavaScript code, impacting other users, including administrators. The vulnerability affects versions 6.5.0 through 6.5.2 and has been resolved in version 6.5.3.
प्रभाव और हमले की स्थितियाँअनुवाद हो रहा है…
An attacker exploiting this XSS vulnerability could execute arbitrary JavaScript code within the browsers of other ChurchCRM users. This presents a significant risk of session hijacking, allowing the attacker to impersonate legitimate users and gain unauthorized access to sensitive church member data. The potential impact extends to administrators, enabling privilege escalation and complete control over the ChurchCRM instance. Successful exploitation could lead to data breaches, defacement of the application, and disruption of church operations. While the vulnerability requires authentication, the ease of note creation in many ChurchCRM configurations could make it relatively accessible to malicious actors.
शोषण संदर्भअनुवाद हो रहा है…
CVE-2026-35574 was publicly disclosed on 2026-04-07. No public proof-of-concept (POC) code has been released at the time of writing, but the XSS nature of the vulnerability makes it likely that a POC will emerge. The vulnerability is not currently listed on CISA KEV. Given the ease of exploitation inherent in XSS vulnerabilities, and the potential for data compromise, it is prudent to prioritize remediation.
कौन जोखिम में हैअनुवाद हो रहा है…
Churches and religious organizations utilizing ChurchCRM versions 6.5.0 through 6.5.2 are at direct risk. Organizations with shared hosting environments or those that have granted broad note-adding permissions to multiple users are particularly vulnerable, as the attack surface is increased.
पहचान के चरणअनुवाद हो रहा है…
• php: Examine ChurchCRM logs for suspicious JavaScript code being injected into notes. Search for unusual characters or patterns commonly associated with XSS payloads.
grep -i 'alert\(' /var/log/churchcrm/error.log• generic web: Monitor access logs for requests containing suspicious URL parameters or POST data that could be indicative of XSS attempts.
grep -i '<script' /var/log/apache2/access.logहमले की समयरेखा
- Disclosure
disclosure
खतरा खुफिया
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
इन मेट्रिक्स का क्या मतलब है?
- Attack Vector
- नेटवर्क — इंटरनेट के माध्यम से दूरस्थ रूप से शोषण योग्य। कोई भौतिक या स्थानीय पहुंच आवश्यक नहीं।
- Attack Complexity
- निम्न — कोई विशेष शर्त नहीं। विश्वसनीय रूप से शोषण योग्य।
- Privileges Required
- निम्न — कोई भी वैध उपयोगकर्ता खाता पर्याप्त है।
- User Interaction
- आवश्यक — पीड़ित को फ़ाइल खोलनी, लिंक पर क्लिक करना या पेज पर जाना होगा।
- Scope
- अपरिवर्तित — प्रभाव केवल कमज़ोर घटक तक सीमित।
- Confidentiality
- उच्च — पूर्ण गोपनीयता हानि। हमलावर सभी डेटा पढ़ सकता है।
- Integrity
- उच्च — हमलावर कोई भी डेटा लिख, बदल या हटा सकता है।
- Availability
- कोई नहीं — उपलब्धता पर कोई प्रभाव नहीं।
प्रभावित सॉफ्टवेयर
कमजोरी वर्गीकरण (CWE)
समयरेखा
- आरक्षित
- प्रकाशित
- EPSS अद्यतन
शमन और वर्कअराउंडअनुवाद हो रहा है…
The primary mitigation for CVE-2026-35574 is to immediately upgrade ChurchCRM to version 6.5.3 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Note Editor. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review ChurchCRM configurations to ensure that note-adding permissions are granted only to authorized personnel.
कैसे ठीक करेंअनुवाद हो रहा है…
Actualice ChurchCRM a la versión 6.5.3 o posterior para mitigar la vulnerabilidad de XSS. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar. Revise los registros de auditoría para detectar cualquier actividad sospechosa después de la actualización.
CVE सुरक्षा न्यूज़लेटर
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
अक्सर पूछे जाने वाले सवालअनुवाद हो रहा है…
What is CVE-2026-35574 — XSS in ChurchCRM?
CVE-2026-35574 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 6.5.0 through 6.5.2, allowing attackers to execute JavaScript code.
Am I affected by CVE-2026-35574 in ChurchCRM?
You are affected if you are running ChurchCRM versions 6.5.0, 6.5.1, or 6.5.2. Upgrade to 6.5.3 to mitigate the risk.
How do I fix CVE-2026-35574 in ChurchCRM?
Upgrade ChurchCRM to version 6.5.3 or later. Implement input validation and output encoding as an interim measure.
Is CVE-2026-35574 being actively exploited?
While no active exploitation has been confirmed, the XSS nature of the vulnerability suggests a high likelihood of exploitation if left unpatched.
Where can I find the official ChurchCRM advisory for CVE-2026-35574?
Refer to the ChurchCRM security advisories on their official website or GitHub repository for the latest information.
क्या आपका प्रोजेक्ट प्रभावित है?
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।