| Researchers | 10splayaSec |
| Severity | 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) |
| Published | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31548 |
| Software Link | https://github.com/ChurchCRM/CRM |
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- On the left hand side, click "Create New Fundraiser". Input the payload
" onfocus="alert(1)" autofocus="inside either theTitleorDescriptionfield, then clickSave.
- After clicking Save, you will see the payload gets executed. The payload will execute. If you try to click on the Title or Description after, the payload will trigger.

