CVE-2023-31699: XSS via Image File · Issue #6471 · ChurchCRM/CRM

If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.

On what page in the application did you find this issue?

I got issue CSVImport.php page.

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?

Windows Server

What browser (and version) are you running?

Brave browser [Version 1.50.119 Chromium: 112.0.5615.121]

What version of PHP is the server running?

7.4.29

What version of SQL Server are you running?

Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29

What version of ChurchCRM are you running?

v4.5.4

Description:
I found Cross site scripting (XSS) vulnerability in your ChurchCRM (v4.5.4) “Admin” menu to CSV Import page there Import data CSV uploader option. When I upload image file there malicious code inserted in image then the browser give me result. Because a browser can not know if the script should be trusted or not.

CMS Version:
v4.5.4

Affected URL:
http://127.0.0.1/churchcrm/CSVImport.php

Steps to Reproduce:

1. First login your admin panel.

2. Then click “Admin” menu and click “CSV Import” and you will get CSV file uploder option.

3. now insert xss payload in jpg file using exiftool or from image properties.

4. after then upload the jpg file.

5. you will see XSS pop up.

Proof of Concept:
You can see the Proof of Concept. Which I’ve attached screenshots and video to confirm the vulnerability.

poc.mp4

Impact:
Attackers can make use of this to conduct attacks like phishing, steal sessions etc.

Let me know if any further info is required.

Thanks & Regards
Rahad Chowdhury
Cyber Security Specialist
https://www.linkedin.com/in/rahadchowdhury/