プラットフォーム
php
コンポーネント
churchcrm
修正版
7.1.1
CVE-2026-39332 describes a reflected Cross-Site Scripting (XSS) vulnerability discovered in ChurchCRM. This flaw allows authenticated users to inject malicious JavaScript code into the browsers of other authenticated users. Successful exploitation can lead to session cookie theft and complete account takeover, even for administrator accounts, making it a critical security concern. The vulnerability impacts versions 0.0.0 through 7.0.x and is resolved in version 7.1.0.
The impact of this XSS vulnerability is significant due to its ease of exploitation and potential for complete account compromise. An attacker can craft a malicious form submission that, when submitted by a victim, automatically executes the injected JavaScript. This automatic execution, facilitated by the autofocus attribute, bypasses typical user interaction requirements, making it highly effective. The stolen session cookies can then be used to impersonate the victim, granting the attacker full access to their ChurchCRM account. This includes the ability to modify church data, manage members, and potentially access sensitive financial information. Given ChurchCRM's role in managing church operations, this vulnerability poses a serious risk to data integrity and confidentiality.
This vulnerability was publicly disclosed on 2026-04-07. While no active exploitation campaigns have been publicly reported, the ease of exploitation and potential impact make it a likely target. There are currently no known public proof-of-concept exploits, but the vulnerability's simplicity suggests that one could be developed relatively easily. The vulnerability is not currently listed on the CISA KEV catalog.
Churches and religious organizations using ChurchCRM versions 0.0.0 through 7.0.x are at significant risk. Organizations relying on ChurchCRM for sensitive data management, such as member information and financial records, are particularly vulnerable. Shared hosting environments where multiple ChurchCRM instances reside on the same server could also be affected, potentially impacting multiple organizations simultaneously.
• php: Examine ChurchCRM logs for suspicious GET requests to GeoPage.php containing JavaScript code.
grep -i 'javascript:' /var/log/apache2/access.log | grep GeoPage.php• php: Check for modified GeoPage.php files containing suspicious code.
diff /path/to/original/GeoPage.php /path/to/current/GeoPage.php• generic web: Monitor web server access logs for unusual user agent strings or referrer headers associated with requests to GeoPage.php. • generic web: Inspect response headers for signs of XSS payloads being served. • generic web: Use a vulnerability scanner to identify the XSS vulnerability in GeoPage.php.
disclosure
patch
エクスプロイト状況
EPSS
0.03% (9% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-39332 is to immediately upgrade ChurchCRM to version 7.1.0 or later, which contains the fix. If upgrading is not immediately feasible, consider implementing temporary workarounds. Input validation and output encoding on the GeoPage.php page can help prevent the injection of malicious scripts. Web Application Firewalls (WAFs) configured to detect and block XSS payloads targeting the GeoPage.php endpoint can provide an additional layer of protection. Monitor ChurchCRM logs for suspicious activity, particularly form submissions containing unusual characters or JavaScript code. After upgrading, confirm the fix by attempting to submit a crafted XSS payload to the GeoPage.php page and verifying that the script is not executed.
Actualice ChurchCRM a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS en GeoPage.php. Esta actualización corrige la forma en que se manejan las entradas de usuario, evitando la inyección de código JavaScript malicioso. Asegúrese de realizar una copia de seguridad de su base de datos antes de actualizar.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-39332 is a reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0.x, allowing attackers to inject JavaScript code.
If you are using ChurchCRM versions 0.0.0 through 7.0.x, you are potentially affected by this vulnerability. Upgrade to 7.1.0 or later to mitigate the risk.
The recommended fix is to upgrade ChurchCRM to version 7.1.0 or later. Temporary workarounds include input validation and WAF rules.
While no active exploitation campaigns have been publicly reported, the vulnerability's ease of exploitation makes it a potential target.
Refer to the ChurchCRM website and security advisories for the latest information and official announcements regarding CVE-2026-39332.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。