Cross-Site Scripting Vulnerability in ChurchCRM by ChurchCRM
CVE-2024-25898

6.1MEDIUM

Key Information:

Vendor: ChurchCRM
Status: ChurchCRM
Vendor: CVE Published:; 21 February 2024

What is CVE-2024-25898?

A Cross-Site Scripting (XSS) vulnerability exists in the ChurchCRM application version 5.5.0 that allows an attacker to inject malicious JavaScript or HTML code into the Event Sermon field through the EventEditor.php component. This may enable the execution of harmful scripts in the context of other users' sessions, presenting significant security risks and potential exploitation. It is crucial for users of ChurchCRM to address this issue to safeguard against unauthorized code execution.

References

https://github.com/ChurchCRM/CRM/issues/6851

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 12, 2024