Headline
CVE-2023-33661: XSS exists in the group report page · Issue #6474 · ChurchCRM/CRM
Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters.
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue?
/churchcrm/GroupReports.php
On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux
What browser (and version) are you running?
Firefox
What version of PHP is the server running?
7.4.33
What version of SQL Server are you running?
5.7.26
What version of ChurchCRM are you running?
4.5.3
Description:
XSS was detected in GroupReports.php, three hidden parameters were found in the code of this page, in which this vulnerability is possible: GroupRole, ReportModel, OnlyCart. A browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.
Impact:
The vulnerability allows an attacker to send malicious JavaScript code which could result in hijacking of the user’s cookie/session tokens , redirecting the user to a malicious webpage, downloading malicious files hosted on attackers server and performing many other unintended browser actions
Proof of Concept:
<script>alert(‘XSS’)</script>