{“lastseen”:”2026-04-13T15:47:25″,”description”:”ChurchCRM versions 6.5.2 and below suffer from a persistent cross site scripting vulnerability in the person property assignment functionality. Note that the advisory says versions 6.3.0 and below are affected but the CVE entry states versions prior to…”,”published”:”2026-04-13T00:00:00″,”modified”:”2026-04-13T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ChurchCRM Cross Site Scripting”,”source”:””,”references”:””,”id”:”PACKETSTORM:218764″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-67875″],”sourceData”:”# CVE-2025-67875: ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking\\n \\n ## Overview\\n \\n | Field | Details |\\n |—|—|\\n | **CVE ID** | [CVE-2025-67875](https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2025-67875) |\\n | **Severity** | HIGH |\\n | **Advisory** | [View Advisory](https:\/\/github.com\/ChurchCRM\/CRM\/security\/advisories\/GHSA-fcw7-mmfh-7vjm) |\\n | **Discovered by** | [Lukasz Rybak](https:\/\/github.com\/lukasz-rybak) |\\n \\n ## Affected Products\\n \\n – **ChurchCRM\/CRM**\\n \\n \\n \\n ## Details\\n \\n ### Summary\\n A critical privilege escalation vulnerability exists in ChurchCRM version 6.3.0 and earlier. An authenticated user with specific mid-level permissions (\\”Edit Records\\” and \\”Manage Properties and Classifications\\”) can inject a persistent Cross-Site Scripting (XSS) payload into an administrator’s profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator’s session, perform administrative actions, and achieve a full account takeover.\\n \\n This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user’s profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user’s record properties.\\n \\n ### Details\\n The attack chain is as follows:\\n \\n 1. **IDOR in `PersonView.php`:** There is no authorization check at the beginning of `PersonView.php`. Any authenticated user can view the profile page of any other user (e.g., `PersonView.php?PersonID=1` for the admin) simply by knowing their ID.\\n \\n 2. **Broken Access Control in `PropertyAssign.php`:** The \\”Assign a New Property\\” functionality, accessible from another user’s `PersonView.php` page, directs the user to `PropertyAssign.php`. This script correctly checks if the user has the general `isEditRecordsEnabled()` permission, but it **fails to perform an object-level authorization check** to verify if the user is allowed to edit the specific `PersonID` passed in the URL. This allows a user with \\”Edit Records\\” to modify properties of any person in the system, including an administrator.\\n \\n 3. **Stored XSS Vector:** An attacker can leverage these two flaws to navigate to the administrator’s profile page and use the \\”Assign a New Property\\” form to save a malicious XSS payload to the administrator’s record. The `Value` field for text-based properties is not properly sanitized on input (only `strip_tags` is applied, which does not remove event handlers) and is not encoded on output, leading to Stored XSS.\\n \\n * **Input Handling (`src\/PropertyAssign.php`):** Saves the property value after only applying `strip_tags()`, which allows event handler attributes like `onerror`.\\n * **Vulnerable Output Sink (`src\/PersonView.php`):** Renders the stored property value directly into the HTML without `htmlspecialchars()`, causing the payload to execute.\\n “`php\\n \/\/ src\/PersonView.php, line ~722\\n \\u003ctd\\u003e\\u003c?= $r2p_Value ?\\u003e\\u003c\/td\\u003e \/\/ Vulnerable: Raw output\\n “`\\n \\n ### PoC\\n This Proof of Concept demonstrates how a user with specific mid-level permissions can inject a Stored XSS payload into the main administrator’s profile.\\n \\n **Prerequisites:**\\n * An attacker has an account with two specific permissions enabled:\\n 1. `Edit Records`\\n 2. `Manage Properties and Classifications`\\n \\n **Scenario:**\\n \\n 1. **Login as Attacker:** Log in as the user with the permissions listed above.\\n \\n \\u003cimg width=\\”1787\\” height=\\”755\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/ba13aca7-b4cc-46db-809e-c227b7b62177\\” \/\\u003e\\n \\n 2. **Target the Administrator:** Navigate directly to the administrator’s profile page, which is typically `PersonID=1`.\\n “`\\n http:\/\/localhost:8101\/PersonView.php?PersonID=1\\n “`\\n (Access is granted due to the IDOR in `PersonView.php`).\\n \\n \\u003cimg width=\\”2546\\” height=\\”766\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/b52a6b77-4e30-46c3-bca0-ce98f6c129f9\\” \/\\u003e\\n \\n 3. **Inject Payload:**\\n * On the administrator’s profile page, scroll down to the **Assigned Properties** tab.\\n * In the \\”Assign a New Property\\” form, select the text-based property e.g. (\\”Test\\”). (The form is visible due to the \\”Edit Records\\” permission).\\n * In the **Value** textarea that appears, enter the following XSS payload:\\n “`html\\n \\u003cimg src=x onerror=alert(‘XSS_on_ADMIN_Profile’)\\u003e\\n “`\\n * Click the \\”Assign\\” button. The payload is now stored on the administrator’s record. (The assignment is possible due to the Broken Access Control in `PropertyAssign.php`).\\n \\n \\u003cimg width=\\”2548\\” height=\\”799\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/7ec283e1-1c7a-4f77-bf27-b0e12775fb1b\\” \/\\u003e\\n \\u003cimg width=\\”2542\\” height=\\”913\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/2c25fe24-bbe5-486e-8af2-c3a18e9e9982\\” \/\\u003e\\n \\n 4. **Trigger the Attack:**\\n * The attacker can now wait for the administrator to log in and view their own profile.\\n * When the administrator navigates to their own profile page (`PersonView.php?PersonID=1`), the payload will execute immediately, and an alert box will appear. The attacker could use a more advanced payload to steal the administrator’s session cookie.\\n \\n \\u003cimg width=\\”2537\\” height=\\”838\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/d2c925c0-f0ed-4b95-a10d-9f64790ba72f\\” \/\\u003e\\n \\u003cimg width=\\”2544\\” height=\\”758\\” alt=\\”image\\” src=\\”https:\/\/github.com\/user-attachments\/assets\/2d947282-b16a-4a06-81f7-7270bf316904\\” \/\\u003e\\n \\n ### Impact\\n This is a critical privilege escalation vulnerability. It allows a user with specific, elevated (but non-admin) permissions to gain full control over an administrator’s account. By hijacking the admin’s session, the attacker can perform any action available to an administrator, including creating new admin accounts, deleting data, and potentially chaining this with other vulnerabilities to achieve full server compromise.\\n \\n ### Attribution\\n \\n Reported by: \u0141ukasz Rybak\\n \\n ## References\\n \\n – https:\/\/github.com\/ChurchCRM\/CRM\/security\/advisories\/GHSA-fcw7-mmfh-7vjm\\n \\n \\n ## Disclaimer\\n \\n This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.”,”sourceHref”:”https:\/\/packetstorm.news\/download\/218764″,”cvss”:{“score”:8.5,”severity”:”HIGH”,”vector”:”CVSS:4.0\/AV:N\/AC:L\/AT:N\/PR:L\/UI:A\/VC:H\/SC:N\/VI:H\/SI:N\/VA:H\/SA:N”,”version”:”4.0″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/218764\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-13T15:47:25″,”description”:”ChurchCRM versions 6.5.2 and below suffer from a persistent cross site scripting vulnerability in the person property assignment functionality. Note that the advisory says versions…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,44,12,15,13,53,7,11,5],"class_list":["post-46314","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-85","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n