// For flags

CVE-2025-0981

Session Hijacking via Stored Cross-Site Scripting (XSS) in ChurchCRM GroupEditor.php Description Field

Severity Score

8.4
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field, which captures the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking. It can also lead to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorised access to sensitive information.

*Credits: Michael McInerney
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
High
User Interaction
Passive
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
Low
Low
Availability
High
High
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
High
User Interaction
Passive
System
Vulnerable | Subsequent
Confidentiality
High
High
Integrity
Low
Low
Availability
High
High
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
Poc
Automatable
No
Tech. Impact
Total
* Organization's Worst-case Scenario
Timeline
  • 2025-02-03 CVE Reserved
  • 2025-02-18 CVE Published
  • 2025-02-19 CVE Updated
  • 2025-02-19 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-287: Improper Authentication
CAPEC
  • CAPEC-102: Session Sidejacking
References (1)
URL Tag Source
https://github.com/ChurchCRM/CRM/issues/7245
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
ChurchCRM
Search vendor "ChurchCRM"
 ChurchCRM
Search vendor "ChurchCRM" for product "ChurchCRM"
 5.13.0
Search vendor "ChurchCRM" for product "ChurchCRM" and version "5.13.0"
en
Affected