# Vulnerability Summary: Stored XSS in UserEditor.php via Login Name Field ## Vulnerability Overview ChurchCRM has a stored cross-site scripting (XSS) vulnerability. When an administrator saves a username (Login Name) containing an HTML attribute injection payload, the value is stored in the database and later rendered into the `value` attribute of an input field in `UserEditor.php` without HTML encoding. Any administrator visiting this page will have the malicious script executed in their browser. **Root Cause Code (UserEditor.php line 405):** ```php // $sUserName is loaded raw from database - no htmlspecialchars() applied $sUserName = $user->getUserName(); // Line 395 // Rendered directly into HTML attribute without escaping " // Line 405 - VULNERABLE class="form-control" width="32"> InputUtils::legacyFilterInput() applies strip_tags() + mysql_real_escape_string() on save (SQL-safe), but the payload ``` ## Impact Scope - **Affected Versions**: ` Users and click Edit for any user. 3. Set the Login Name field to: ```html " autofocus onfocus=confirm(document.domain) x=" ``` 4. Click Save. 5. Navigate back to `UserEditor.php?PersonID=`. 6. A confirmation dialog will pop up immediately upon page load (triggered by the autofocus event), confirming that the script executes in the administrator’s context.