CVE-2025-1024

Summary

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim’s browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.

Severity

  • Base Score: 8.4
  • Exploitability Score: 8.0
  • Impact Score: 6.4
  • Exploitable: Yes

Details

The Reflected XSS vulnerability in ChurchCRM’s EditEventAttendees.php page allows an attacker with administrative privileges to inject malicious JavaScript code into the EID parameter. When a user with sufficient privileges visits a crafted URL containing the malicious script, the script is executed in their browser. This can be exploited to steal session cookies, perform actions on behalf of the administrator, or redirect the user to a phishing site. Successful exploitation can lead to complete compromise of the application and its data. Because the exploit can only be performed by users with administrative privileges, this reduces the number of users who can be targeted, and increases the requirements to successfully exploit the issue.

Remediation

To remediate this XSS vulnerability, the following steps should be taken:

  1. Update ChurchCRM: Upgrade to a patched version of ChurchCRM that addresses this vulnerability. Check the ChurchCRM website or official channels for security updates.

  2. Input Validation and Sanitization: Implement strict input validation and sanitization for the EID parameter in EditEventAttendees.php. Sanitize all user inputs to remove or encode potentially malicious characters before rendering them in the web page. Specifically, use HTML entity encoding to escape characters like <, >, ", and '.

  3. Output Encoding: Use proper output encoding to prevent the browser from interpreting user-supplied data as executable code. Ensure all data displayed from the EID parameter is properly encoded before being displayed in the web page.

  4. Principle of Least Privilege: Review and enforce the principle of least privilege. Ensure that administrative privileges are only granted to users who require them. This limits the scope of potential damage if an account is compromised.

  5. Web Application Firewall (WAF): Deploy a Web Application Firewall (WAF) to detect and block XSS attacks. Configure the WAF with rules to identify and block malicious payloads in the EID parameter.

  6. Content Security Policy (CSP): Implement Content Security Policy (CSP) to restrict the sources from which the browser can load resources. This can prevent the execution of unauthorized scripts.

  7. Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities proactively.

  8. Educate Administrators: Provide administrators with training on security best practices, including the dangers of XSS attacks and how to identify and avoid them.

Assigner

  • Name: Gridware
  • Email: b7efe717-a805-47cf-8e9a-921fca0ce0ce

Date

  • Published Date: 2025-02-19 09:15:10
  • Updated Date: 2025-02-19 09:15:10

More Details

CVE-2025-1024