Hackinkraken

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a Blind Reflected Cross-Site Scripting issue in the `search` parameter of the dashboard. The application does not properly sanitize or encode user input before rendering it in the browser's Document Object Model (DOM). Even though the application returns an HTTP 500 error because of the malformed API request caused by the payload, the browser's JavaScript engine parses and executes the injected <script> tags before the error response is returned, leading to successful code execution despite the server-side error. Recommendations Update to version 7.1.0 or later.