References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the Pledge Editor renders donation comment values directly into HTML input value attributes without escaping via htmlspecialchars(). An authenticated user with Finance permissions can inject HTML attribute-breaking characters and event handlers into the comment field, which are stored in the database and execute in the browser of any user who subsequently opens the pledge record for editing, resulting in stored XSS. This issue has been fixed in version 7.2.0.

AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE-79

CWE-116

https://github.com/ChurchCRM/CRM/commit/b3da72a2b35f9c600e340a9dfd35e7792ff4f899

https://github.com/ChurchCRM/CRM/pull/8609

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-wjmf-w8gj-rx7g