Can you explain this vulnerability to me?

CVE-2026-39332 is a reflected Cross-Site Scripting (XSS) vulnerability in the ChurchCRM application, specifically in the GeoPage.php file before version 7.1.0.

The vulnerability occurs because the POST parameter 'CoordFileName' is not properly escaped before being embedded into an HTML input element's value attribute. This allows an attacker to inject arbitrary JavaScript code.

An attacker who is an authenticated user can submit a crafted payload that injects JavaScript which executes automatically due to the use of the 'autofocus' attribute, without requiring any user interaction.

This injected script can steal session cookies from other authenticated users, including administrators, enabling the attacker to hijack their sessions and fully take over their accounts.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

This vulnerability can have severe impacts including full account takeover of any authenticated user, especially administrators.

An attacker can steal session cookies by injecting malicious JavaScript, which allows them to hijack user sessions.

Once an attacker gains access to administrator accounts, they can access and potentially manipulate all congregation data managed by the ChurchCRM system.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the GeoPage.php endpoint for reflected Cross-Site Scripting (XSS) in the POST parameter `CoordFileName`. Specifically, you can attempt to submit a crafted payload that includes JavaScript code in the `CoordFileName` parameter and observe if it is reflected unescaped in the HTML response.

A simple detection method is to send a POST request with a payload such as `" autofocus onfocus=alert(document.cookie) //` in the `CoordFileName` parameter and check if the JavaScript executes or is reflected in the response.

Example command using curl to test the vulnerability:

• curl -X POST -d "CoordFileName=\" autofocus onfocus=alert(document.cookie) //" https://yourchurchcrminstance/GeoPage.php -v

If the response HTML contains the injected payload unescaped inside the input element's value attribute and the JavaScript executes when the page loads, the vulnerability is present.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade ChurchCRM to version 7.1.0 or later, where this vulnerability is fixed.

The fix involves properly escaping the `CoordFileName` parameter before embedding it into the HTML to prevent injection of executable code. This prevents the reflected XSS attack.

Until you can upgrade, consider restricting access to the GeoPage.php page to trusted users only and monitoring for suspicious POST requests containing unusual input in the `CoordFileName` parameter.

Additionally, educate users to avoid submitting forms or clicking links from untrusted sources that might exploit this vulnerability.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The vulnerability allows an attacker to steal session cookies and fully take over any victim account, including administrator accounts. This can lead to unauthorized access to sensitive congregation data.

Such unauthorized access and potential data compromise could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

Because the vulnerability enables full account takeover and exposure of sensitive information, organizations using affected versions of ChurchCRM may face increased risk of non-compliance with these regulations until the vulnerability is patched.

Useful 0 Not Useful 0