Headline
CVE-2023-27059: A cross-site scripting vulnerability (XSS) exists in the edit group function · Issue #6450 · ChurchCRM/CRM
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue?****On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
windows
What browser (and version) are you running?
Edge
What version of PHP is the server running?
7.4.3
What version of SQL Server are you running?
5.7.26
What version of ChurchCRM are you running?
4.5.3
Severity: middle
Description:
A stored XSS was found in the application editing group name, where malicious JS or HTML code can be inserted, allowing attackers to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim. This vulnerability is caused by the lack of effective encoding processing of input and output in the background.
Impact:
Stored XSS, also known as persistent XSS, is a type of cross-site scripting attack in which the malicious code is permanently stored on the server and delivered to every user who accesses the affected page. The attacker typically injects the malicious code, such as JavaScript or HTML, into a form field or other input field that is stored in a database or other data storage location. When the victim accesses the page containing the stored malicious code, the code is executed in the victim’s browser, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious actions on behalf of the victim.
Affected Component:
/churchcrm/GroupList.php
Technical Details:
The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious js code and store it in the database, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.
Proof of Concept (PoC):
<img src=1 onclick=alert(document.cookie)>
The vulnerability will trigger when another user visits the page
Remediation:
1.Input validation: All user input should be validated on the server-side to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on both client-side and server-side, and should be designed to detect and block any attempts to inject scripts or other malicious content.
2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. This includes data stored in a database or other data storage location, as well as data that is passed between pages or included in page templates. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.