Morris-Be

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.1 Description ChurchCRM, an open-source church management system, contains a stored cross-site scripting (XSS) issue in the group remove control and family editor state/country functionality. This primarily affects administrative users, allowing for potential abuse of writable entity fields. Recommendations Update to version 7.1.1 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description A stored cross-site scripting issue exists in ChurchCRM's person profile editing functionality. Users with EditSelf permission can inject malicious JavaScript into their Facebook, LinkedIn, and X profile fields. The payload is distributed across these fields and chains their onfocus event handlers to execute in sequence. When a user views the attacker's profile, their session cookies are sent to a remote server. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description An authenticated API user can modify any family record's state without proper authorization by changing the `familyId` parameter in requests, regardless of whether they possess the required EditRecords privilege. The following API endpoints lack role-based access control: '/family/{familyId}/verify', '/family/{familyId}/verify/url', '/family/{familyId}/verify/now', '/family/{familyId}/activate/{status}', and '/family/{familyId}/geocode. This allows users to deactivate or reactivate arbitrary families, send spam verification emails, and mark families as verified, triggering geocoding. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is an open-source church management system. The `FindFundRaiser.php` endpoint reflects user-supplied input (`DateStart` and `DateEnd`) into HTML input field attributes without proper output encoding. An authenticated attacker can craft a malicious URL that executes arbitrary JavaScript when visited by another authenticated user, resulting in a reflected Cross-Site Scripting (XSS) issue. Recommendations Update to version 7.1.0.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description A stored cross-site scripting issue affects the Directory Reports form fields set from configuration, Person editor defaults rendered into address fields, and external self-registration form defaults. This is primarily an admin-to-admin stored XSS path where writable configuration fields are abused. Recommendations Update to version 7.1.0 or later.