Reflected XSS op de inlogpagina via de 'username' parameter
Platform
php
Component
churchcrm
Opgelost in
7.1.1
CVE-2026-39344 describes a Reflected Cross-Site Scripting (XSS) vulnerability found in ChurchCRM versions prior to 7.1.0. This vulnerability allows attackers to inject malicious JavaScript code into the login page via the username parameter in the URL. Successful exploitation could result in the theft of sensitive user data, such as session cookies, or the presentation of a fake login form to harvest credentials.
Impact en Aanvalsscenarioswordt vertaald…
The impact of this XSS vulnerability is significant, as it can be exploited to compromise user accounts and potentially gain control of the ChurchCRM application. An attacker could craft a malicious URL containing JavaScript code and send it to a ChurchCRM user. When the user clicks the link, the JavaScript code will execute in their browser, allowing the attacker to steal their session cookie and impersonate them. Alternatively, the attacker could inject JavaScript code that replaces the legitimate login form with a fake one, tricking users into entering their credentials, which are then sent to the attacker. This could lead to unauthorized access to sensitive church data, including member information, financial records, and event details.
Uitbuitingscontextwordt vertaald…
This vulnerability was publicly disclosed on 2026-04-07. There is currently no indication of active exploitation campaigns targeting ChurchCRM. Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation of reflected XSS vulnerabilities. The vulnerability is not currently listed on the CISA KEV catalog.
Wie Loopt Risicowordt vertaald…
Churches and organizations utilizing ChurchCRM versions 0.0.0 through 7.0 are at risk. This includes deployments with limited security expertise and those relying on default configurations. Shared hosting environments where multiple ChurchCRM instances reside on the same server are particularly vulnerable, as a successful attack on one instance could potentially compromise others.
Detectiestappenwordt vertaald…
• php: Examine ChurchCRM application logs for suspicious URL parameters containing JavaScript code in the username field. Use grep to search for patterns like <script> or alert() within the logs.
grep -i '<script>.*alert\(.*\)' /var/log/apache2/access.log• generic web: Monitor access logs for requests to the login page with unusual or excessively long username parameters. Use curl to test the login page with a simple XSS payload and observe the response.
curl 'http://churchcrm.example.com/login.php?username=<script>alert("XSS")</script>' -sAanvalstijdlijn
- Disclosure
disclosure
Dreigingsinformatie
Exploit Status
EPSS
0.04% (11% percentiel)
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Vereist — slachtoffer moet een bestand openen, op een link klikken of een pagina bezoeken.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Geen — geen beschikbaarheidsimpact.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
- Gewijzigd
- EPSS bijgewerkt
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-39344 is to upgrade ChurchCRM to version 7.1.0 or later, which includes the necessary sanitization and encoding of the username parameter. If an immediate upgrade is not possible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious JavaScript code in the username parameter. Additionally, carefully review and sanitize all user inputs within the ChurchCRM application to prevent similar vulnerabilities from arising. After upgrading, verify the fix by attempting to inject a simple JavaScript payload (e.g., <script>alert('XSS')</script>) into the username parameter of the login URL and confirming that it is not executed.
Hoe te verhelpenwordt vertaald…
Actualice a la versión 7.1.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la falta de sanitización o codificación del parámetro 'username' en la página de inicio de sesión, evitando la inyección de scripts maliciosos.
CVE Beveiligingsnieuwsbrief
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
Veelgestelde vragenwordt vertaald…
What is CVE-2026-39344 — XSS in ChurchCRM?
CVE-2026-39344 is a Reflected Cross-Site Scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 7.0, allowing attackers to inject malicious JavaScript into the login page.
Am I affected by CVE-2026-39344 in ChurchCRM?
You are affected if you are using ChurchCRM versions 0.0.0 through 7.0. Upgrade to version 7.1.0 or later to resolve the vulnerability.
How do I fix CVE-2026-39344 in ChurchCRM?
Upgrade ChurchCRM to version 7.1.0 or later. Consider implementing a WAF rule to filter malicious JavaScript in the username parameter as a temporary mitigation.
Is CVE-2026-39344 being actively exploited?
There is currently no indication of active exploitation campaigns, but public proof-of-concept code is likely to emerge.
Where can I find the official ChurchCRM advisory for CVE-2026-39344?
Refer to the ChurchCRM website and security advisories for the official announcement and details regarding this vulnerability.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.