ChurchCRM has a Stored XSS in Person Profile - Add a Note

ChurchCRM is an open-source church management system. Prior to 6.5.3, a stored Cross-Site Scripting (XSS) vulnerability in ChurchCRM's Note Editor allows authenticated users with note-adding permissions to execute arbitrary JavaScript code in the context of other users' browsers, including administrators. This can lead to session hijacking, privilege escalation, and unauthorized access to sensitive church member data. This vulnerability is fixed in 6.5.3.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

ChurchCRM 安全漏洞

ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 6.5.3之前版本存在安全漏洞，该漏洞源于笔记编辑器存在存储型跨站脚本，可能导致具有添加笔记权限的经过身份验证的用户在其他用户的浏览器上下文中执行任意JavaScript代码，从而劫持会话、提升权限或未经授权访问敏感数据。

N/A

N/A