平台
php
组件
churchcrm
修复版本
7.0.1
A stored cross-site scripting (XSS) vulnerability has been identified in ChurchCRM, an open-source church management system. This flaw, present in versions prior to 7.0.0, allows authenticated users to inject malicious JavaScript code through dynamically assigned person properties. Exploitation can lead to session hijacking or complete account compromise, impacting the confidentiality and integrity of church data.
The vulnerability resides within the Person Property Management subsystem of ChurchCRM. An attacker, once authenticated, can craft a malicious payload and inject it into a person's profile properties. This payload is then persistently stored and executed whenever other users view the affected profile or access its printable view. This persistent nature significantly amplifies the risk, as the attack isn't a one-time event but affects all subsequent views of the compromised profile. Successful exploitation could allow an attacker to steal session cookies, impersonate users, modify data, or even gain full control of affected accounts, potentially disrupting church operations and exposing sensitive member information.
This vulnerability was publicly disclosed on 2026-04-07. While no public proof-of-concept (PoC) has been released at the time of writing, the ease of exploitation and the potential impact suggest a medium probability of exploitation. It is not currently listed on the CISA KEV catalog. The vulnerability persists even in versions patched for CVE-2023-38766, highlighting the importance of thorough testing after applying security updates.
Churches and organizations utilizing ChurchCRM, particularly those relying on the Person Property Management subsystem for storing and managing member information, are at risk. Shared hosting environments where multiple ChurchCRM instances reside on the same server could also be affected, as a successful exploit on one instance could potentially impact others.
• php: Examine ChurchCRM database for suspicious JavaScript code stored in person property fields. Use SELECT * FROM personproperties WHERE propertyvalue LIKE '%<script%'; to identify potential XSS payloads.
• generic web: Monitor access logs for requests containing unusual JavaScript code in URL parameters or POST data targeting the Person Property Management endpoints.
• generic web: Review ChurchCRM application logs for errors related to JavaScript execution or unexpected behavior in the Person Property Management subsystem.
disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-35576 is to upgrade ChurchCRM to version 7.0.0 or later, which contains the fix. If an immediate upgrade is not feasible, consider implementing strict input validation and output encoding on all user-supplied data within the Person Property Management subsystem. Web application firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and sanitize user-generated content to identify and remove any potentially malicious scripts.
Actualice a la versión 7.0.0 o posterior para mitigar la vulnerabilidad de XSS. Esta actualización corrige la forma en que se manejan las propiedades de la persona, evitando la inyección de código JavaScript malicioso en las vistas de perfil y en la impresión.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-35576 is a stored cross-site scripting (XSS) vulnerability in ChurchCRM versions 0.0.0 through 6.99.9, allowing authenticated users to inject malicious JavaScript code.
You are affected if you are using ChurchCRM versions 0.0.0 through 6.99.9 and have not upgraded to version 7.0.0.
Upgrade ChurchCRM to version 7.0.0 or later. Implement input validation and output encoding as an interim measure.
While no public exploit is currently known, the vulnerability's ease of exploitation suggests a potential for active exploitation.
Refer to the ChurchCRM website and security advisories for the latest information and official guidance regarding CVE-2026-35576.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。