Skip to content

Latest commit

 

History

History
24 lines (16 loc) · 1.24 KB

README.md

File metadata and controls

24 lines (16 loc) · 1.24 KB

CVE-2023-25347 - Cross-Site Scripting (Stored)
Researchers 10splayaSec
Severity 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Published https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25347
Software Link https://github.com/ChurchCRM/CRM

Description

A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php.

Proof of Concept

  1. On the left sidebar, navigate to the Events dropdown and click on Add Church Event. Select an Event Type.
  2. In the Event Title input field, submit the payload " onfocus=alert(document.cookie) autofocus=". Complete the form and submit.

  1. Click Save. Once the Event is successfully created, go back to edit the Event, and the Javascript will execute.