SecuriTricks - CVE-2025-0981

Description

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

Product(s) Impacted

Vendor	Product	Versions
Churchcrm	Churchcrm	*

Weaknesses

CWE-287

Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

*CPE(s)

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	churchcrm	churchcrm	/	/	/	/	/	/	/	/

References

https://github.com/ChurchCRM/CRM/issues/7245

CVSS Score

6.1 / 10

CVSS Data

Attack Vector: NETWORK
Attack Complexity: LOW
Privileges Required: NONE
Scope: CHANGED
Confidentiality Impact: LOW
Integrity Impact: LOW
Availability Impact: NONE

View Vector String

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Date

Published: Feb. 18, 2025, 10:15 a.m.
Last Modified: Feb. 21, 2025, 3:23 p.m.

Status : Analyzed

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

b7efe717-a805-47cf-8e9a-921fca0ce0ce

CVE-2025-0981