CVE-2024-25898

Published: Feb 21, 2024Modified: Mar 28, 2025

6.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Exploitability: 2.8 / Impact: 2.7

Source: NVD

Description

A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php.

Affected (1)

Products: Churchcrm: Churchcrm

Churchcrm

1 product

Churchcrm

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Churchcrm Churchcrm	Version 5.5.0

Related CWEs

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (2)

https://github.com/ChurchCRM/CRM/issues/6851

Source: cve@mitre.org

ExploitIssue Tracking

https://github.com/ChurchCRM/CRM/issues/6851

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitIssue Tracking

Timeline

No history available yet.