CVE-2025-67876
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.4.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored cross-site scripting (XSS) issue in ChurchCRM versions 6.4.0 and earlier. A low-privilege user with the 'Manage Groups' permission can inject persistent JavaScript code into group role names. This malicious code is saved in the database and runs whenever any user, including administrators, views a page displaying that role, such as GroupView.php or PersonView.php. This can lead to session hijacking and account takeover.
How can this vulnerability impact me? :
The vulnerability can allow attackers to hijack user sessions and take over accounts, including those of administrators. This can lead to unauthorized access, data theft, manipulation of information, and potentially full control over the ChurchCRM system.
What immediate steps should I take to mitigate this vulnerability?
Since no patched versions are available, immediate mitigation steps include restricting the 'Manage Groups' permission to only fully trusted users, avoiding viewing pages that display group role names (such as GroupView.php or PersonView.php) when possible, and monitoring for suspicious activity that may indicate session hijacking or account takeover attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows full administrator session hijacking and account takeover, leading to exposure of all sensitive personal data stored in ChurchCRM. This exposure of sensitive personal data could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal data against unauthorized access and breaches. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the group role names stored in the ChurchCRM database, specifically in the list_lst table, for any suspicious JavaScript payloads such as script tags or external script references. Since the vulnerability involves stored XSS in group role names, you can query the database to find role names containing script tags or suspicious HTML. For example, using SQL commands to search for script tags in role names: SELECT * FROM list_lst WHERE lst_OptionName LIKE '%<script%'; Additionally, monitoring HTTP traffic for requests to pages like GroupView.php or PersonView.php that include unexpected script execution or unusual network requests to external domains (such as attacker-hosted scripts) can help detect exploitation attempts. Network monitoring tools or browser developer tools can be used to observe such behavior. Since no patched versions are available, manual inspection and monitoring are critical. [1]