cnvd - cnvd-2025-04176

CNVD-2025-04176

Vulnerability from cnvd - Published: 2025-03-03

Title

ChurchCRM输入验证错误漏洞

Description

ChurchCRM是ChurchCRM开源的一个为教会打造的开源CRM系统。 ChurchCRM存在输入验证错误漏洞，该漏洞源于未正确验证输入。攻击者可利用该漏洞劫持用户会话。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://github.com/ChurchCRM/CRM/issues/7245

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-0981

Impacted products

Name
ChurchCRM ChurchCRM <=5.13.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-0981",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-0981"
    }
  },
  "description": "ChurchCRM\u662fChurchCRM\u5f00\u6e90\u7684\u4e00\u4e2a\u4e3a\u6559\u4f1a\u6253\u9020\u7684\u5f00\u6e90CRM\u7cfb\u7edf\u3002\n\nChurchCRM\u5b58\u5728\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u672a\u6b63\u786e\u9a8c\u8bc1\u8f93\u5165\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u52ab\u6301\u7528\u6237\u4f1a\u8bdd\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://github.com/ChurchCRM/CRM/issues/7245",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2025-04176",
  "openTime": "2025-03-03",
  "products": {
    "product": "ChurchCRM ChurchCRM \u003c=5.13.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-0981",
  "serverity": "\u4e2d",
  "submitTime": "2025-02-28",
  "title": "ChurchCRM\u8f93\u5165\u9a8c\u8bc1\u9519\u8bef\u6f0f\u6d1e"
}

CVE-2025-0981 (GCVE-0-2025-0981)

Vulnerability from cvelistv5 – Published: 2025-02-18 09:33 – Updated: 2025-02-19 08:37

Summary

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

Severity ?

8.4 (High)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:L/U:Amber

CWE

CWE-287 - Improper Authentication

Assigner

Gridware

References

URL

Tags

https://github.com/ChurchCRM/CRM/issues/7245

Impacted products

	Vendor	Product	Version
	ChurchCRM	ChurchCRM	Affected: ChurchCRM 5.13.0 and prior

Credits

Michael McInerney

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-0981",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-18T14:29:25.449204Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-18T14:29:36.736Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "ChurchCRM",
          "vendor": "ChurchCRM",
          "versions": [
            {
              "status": "affected",
              "version": "ChurchCRM 5.13.0 and prior"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Michael McInerney"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eA vulnerability exists in \u003c/span\u003e\u003cstrong\u003eChurchCRM\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;5.13.0 and prior that allows an attacker to hijack a user\u0027s session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the \u003c/span\u003e\u003cstrong\u003eGroup Editor page\u003c/strong\u003e\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. I\u003c/span\u003et can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u003cbr\u003e\n\n\n\u003c/span\u003e\u003cbr\u003e"
            }
          ],
          "value": "A vulnerability exists in ChurchCRM\u00a05.13.0 and prior that allows an attacker to hijack a user\u0027s session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-102",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-102 Session Sidejacking"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.4,
            "baseSeverity": "HIGH",
            "privilegesRequired": "HIGH",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "LOW",
            "userInteraction": "PASSIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:L/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "LOW",
            "vulnerabilityResponseEffort": "LOW"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-287",
              "description": "CWE-287 Improper Authentication",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-02-19T08:37:46.688Z",
        "orgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "shortName": "Gridware"
      },
      "references": [
        {
          "url": "https://github.com/ChurchCRM/CRM/issues/7245"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eTo mitigate this vulnerability, implement output encoding to prevent malicious script injection in user-controlled input fields, ensure that session cookies are set with the HttpOnly and Secure flags to protect them from client-side access, and validate and sanitize user input before reflecting it in web pages.\u003c/p\u003e"
            }
          ],
          "value": "To mitigate this vulnerability, implement output encoding to prevent malicious script injection in user-controlled input fields, ensure that session cookies are set with the HttpOnly and Secure flags to protect them from client-side access, and validate and sanitize user input before reflecting it in web pages."
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
    "assignerShortName": "Gridware",
    "cveId": "CVE-2025-0981",
    "datePublished": "2025-02-18T09:33:54.210Z",
    "dateReserved": "2025-02-03T10:22:18.062Z",
    "dateUpdated": "2025-02-19T08:37:46.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2025-04176

CVE-2025-0981 (GCVE-0-2025-0981)

Tags

Sightings

Nomenclature