Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-32880 is a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM, an open-source church management system. It affects versions prior to 7.0.2. The issue arises because the system allows an admin user to edit JSON-type system settings without proper sanitization or escaping. This means an attacker with admin privileges can inject malicious JavaScript code into these JSON settings.'}, {'type': 'paragraph', 'content': "When any admin views the system settings page, the injected JavaScript executes in their browser context. This happens because the JSON input is embedded directly into an HTML input element's value attribute without escaping, allowing the malicious script to run."}, {'type': 'paragraph', 'content': 'The vulnerability is due to improper neutralization of input during web page generation (CWE-79). It was fixed in version 7.0.2 by escaping the JSON values before embedding them in HTML and validating the JSON input to ensure it is valid before storing.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have several impacts if exploited:

• An attacker with admin privileges can execute arbitrary JavaScript in the context of other admin users, potentially stealing session cookies or performing other malicious actions.
• The injected invalid JSON can break the JSON parsing in the web interface, preventing other admins from editing the affected setting via the graphical user interface (GUI). This forces them to use command-line tools to fix the issue.
• Dependent code that expects valid JSON may malfunction due to corrupted data, potentially causing further application errors.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by attempting to inject a malicious JavaScript payload into a JSON-type system setting and observing if it executes when viewing the system settings page.'}, {'type': 'paragraph', 'content': 'A proof of concept command to test for this vulnerability involves sending a crafted POST request with a malicious payload using curl, as follows:'}, {'type': 'list_item', 'content': 'curl -X POST "http://localhost/SystemSettings.php" \\'}, {'type': 'list_item', 'content': '-H "Cookie: CRM-<session_cookie>" \\'}, {'type': 'list_item', 'content': '--data-urlencode "save=Save Settings" \\'}, {'type': 'list_item', 'content': '--data-urlencode "type[1043]=json" \\'}, {'type': 'list_item', 'content': '--data-urlencode "new_value[1043]=\'><script>alert(1)</script>"'}, {'type': 'paragraph', 'content': 'After executing this command, refreshing the system settings page will trigger the injected JavaScript alert if the vulnerability is present.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include upgrading ChurchCRM to version 7.0.2 or later, where this vulnerability has been fixed.

If upgrading is not immediately possible, ensure that JSON input is properly validated before storing and that JSON values are escaped before embedding in HTML to prevent XSS.

Specifically, the fix involves:

• Escaping JSON values before embedding them in HTML input elements to prevent script execution.
• Validating JSON input to ensure it is well-formed before saving it, preventing invalid JSON from breaking the UI.

Additionally, monitor and restrict admin privileges carefully, as this vulnerability requires admin access to exploit.

Useful 0 Not Useful 0