CVE-2025-68401

Medium CVSS: 6.2

ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.

Vendor

Churchcrm

Product

Churchcrm

CWE

CWE-79

Yayın Tarihi

2025-12-17 22:16:02

Güncelleme

2025-12-18 16:44:00

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-79 Churchcrm MEDIUM Churchcrm 2025

Referanslar

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v https://github.com/ChurchCRM/CRM/security/advisories/GHSA-phfw-p278-qq7v

Benzer Kayıtlar

Medium

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type syst…

Low

CVE-2026-26059

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated u…

High

CVE-2026-24854

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor…

High

CVE-2026-24855

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) v…

Low

CVE-2025-68399

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting…

Critical

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Repo…