CVE-2023-25346 - Cross-Site Scripting (Reflected)
| Researchers | 10splayaSec |
| Severity | 3.5 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N) |
| Published | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-25346 |
| Software Link | https://github.com/ChurchCRM/CRM |
Description
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of the /churchcrm/v2/family/not-found endpoint.
Proof of Concept
- Using the payload
churchcrm/v2/person/not-found?id="><script>alert(1)</script>, an alert box will appear on the webpage, indicating the Javascript code ran successfully.
