CVE-2025-68399
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68399
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Stored Cross-Site Scripting (XSS) issue in ChurchCRM versions prior to 6.5.4. It occurs in the GroupEditor.php page, where a user with permission to view and modify groups can create a group role that includes malicious JavaScript code. This code is then stored and can be executed by other users, potentially compromising their security. The issue was fixed in version 6.5.4.

Impact Analysis

If exploited, this vulnerability allows an attacker with certain permissions to inject malicious JavaScript into the application, which can then execute in the browsers of other users who view the affected group roles. This can lead to unauthorized actions, data theft, or session hijacking for those users. However, exploitation requires the attacker to have permission to view and modify groups.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to upgrade ChurchCRM to version 6.5.4 or later, as this version fixes the Stored Cross-Site Scripting (XSS) vulnerability in the GroupEditor.php page.

Detection Guidance

This vulnerability can be detected by attempting to inject a known XSS payload into the 'Add New Role' functionality on the GroupEditor.php page of ChurchCRM versions prior to 6.5.4. For example, submitting a role name with the payload `"><img src=x onerror=alert(1)>` via a POST request to `/crm/api/groups/<GROUP_ID>/roles` can trigger the vulnerability if the alert box appears upon page reload. To detect this on your system, you can use curl or similar tools to simulate the POST request with the payload. Example command: `curl -X POST -d 'roleName="><img src=x onerror=alert(1)>' https://yourchurchcrminstance/crm/api/groups/<GROUP_ID>/roles -b cookies.txt -c cookies.txt` (assuming authentication cookies are managed). Monitoring for unexpected JavaScript execution or alert pop-ups when viewing group roles can also indicate the presence of the vulnerability. [1]

Compliance Impact

The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart