CVE-2025-68401
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stored Cross-Site Scripting (XSS) issue in ChurchCRM versions prior to 6.0.0. The application does not properly sanitize or encode user-supplied HTML and JavaScript content before storing it. When other users view this content, the attacker-controlled JavaScript executes in their browsers, potentially accessing web origin data and performing privileged actions on behalf of the victim. If session cookies are not marked HttpOnly, the malicious script can steal session cookies, leading to account takeover.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized actions performed in the context of a victim user, including theft of session cookies if they are not marked HttpOnly. This can result in account takeover, unauthorized access to sensitive information, and potential compromise of user data and privileges within the ChurchCRM application.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of malicious stored JavaScript payloads in user-supplied input fields, such as the 'Name' parameter, within ChurchCRM versions up to 5.21.0. Since the vulnerability involves stored XSS, you can look for suspicious script tags or event handlers in the database or rendered HTML output. Additionally, monitoring HTTP responses for unescaped user input containing script tags can help detect exploitation attempts. Specific commands might include using curl or wget to fetch pages and grep or other text-processing tools to search for suspicious script content. For example, you could use: curl -s http://yourchurchcrminstance/path | grep -i '<script' to detect inline scripts in responses. Also, reviewing database entries for injected scripts can be done via SQL queries targeting fields that store user input, such as: SELECT * FROM menu_items WHERE name LIKE '%<script%'; However, no exact commands are provided in the resources. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to execute malicious scripts that can lead to session hijacking, privilege escalation, and unauthorized access to sensitive user data. Such unauthorized access and potential data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, this vulnerability negatively impacts compliance with these common standards and regulations by exposing user data to potential compromise. [1]
What immediate steps should I take to mitigate this vulnerability?
Upgrade ChurchCRM to version 6.0.0 or later, as this version patches the stored XSS vulnerability by properly sanitizing and encoding user-supplied HTML/JS content.