CVE-2023-25346

Name of the Vulnerable Software and Affected Versions ChurchCRM version 4.5.3

Description A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the id parameter of the "/churchcrm/v2/family/not-found" API endpoint. This enables attackers to execute malicious scripts on the victim's browser.

Recommendations For ChurchCRM version 4.5.3, as a temporary workaround, consider restricting access to the "/churchcrm/v2/family/not-found" API endpoint to minimize the risk of exploitation. Avoid using the id parameter in this endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.