Skip to content

Latest commit

 

History

History

CVE-2023-31548

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 

CVE-2023-31548 - Cross-Site Scripting (Stored)

Researchers 10splayaSec
Severity 5.4 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
Published https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-31548
Software Link https://github.com/ChurchCRM/CRM

Description

A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.

Proof of Concept

  1. On the left hand side, click "Create New Fundraiser". Input the payload " onfocus="alert(1)" autofocus=" inside either the Title or Description field, then click Save.

  1. After clicking Save, you will see the payload gets executed. The payload will execute. If you try to click on the Title or Description after, the payload will trigger.