Security Bug: SELF XSS - Event Editor

[0xIapetus]

If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.

On what page in the application did you find this issue?
EventEditor.php

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux

What browser (and version) are you running?
Firefox

What version of PHP is the server running?
8.3.2

What version of SQL Server are you running?
11.2.2

What version of ChurchCRM are you running?
5.5.0

Severity: low

Credits :
Georgios Bitounis

Description:
A self XSS was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in the endpoint EventEditor.php.

The steps for the exploitation are the following :
Step 1 : Go to the EventEditor.php and create an event with whatever attributes you want and save.
Step 2 : Go to the ListEvents.php and edit your event, on the Event Sermon field, we can xss with this payload : <img src="invalid.jpg" onerror="alert('XSS')">

Impact:
In a Self-XSS attack, the victim of the attack unknowingly runs malicious code in their own web browser, thus exposing personal information to the attacker, a kind of vulnerability known as cross-site scripting. Self-XSS involves similar application behaviour to regular reflected XSS, however it cannot be triggered in normal ways via a crafted URL or a cross-domain request. Instead, the vulnerability is only triggered if the victim themselves submits the XSS payload from their browser.

Affected Component:
/churchcrm/EventEditor.php

Technical Details:
The vulnerability is caused by the failure of validation of user input. An attacker can insert malicious js code, allowing the attacker to steal sensitive information, hijack user sessions, or perform other malicious operations on behalf of the victim.

Proof of Concept (PoC):
<img src="invalid.jpg" onerror="alert('XSS')">

Remediation:
1.Input validation: All user input should be validated to ensure that it conforms to the expected format and does not contain any malicious code. Input validation should be performed on client-side and should be designed to detect and block any attempts to inject scripts or other malicious content.
2.Output encoding: All data that is displayed on a web page should be properly encoded to prevent script injection. Proper encoding can include HTML entity encoding, URL encoding, or JavaScript escaping, depending on the specific context and data being displayed.

[github-actions]

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.