← volver
CVE-2025-68399

ChurchCRM has Stored Cross-Site Scripting (XSS) In GroupEditor.php

CVSS 2 LOWEPSS 0.2%CWE-79
Vexday Risk Score
8Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 2EPSS 0.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
17 dic 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript. However, for this to work, the user must have permission to view and modify groups in the application. Version 6.5.4 fixes the issue.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:P
Productos afectados
ChurchCRM · CRM

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-gfxf-w4cg-c54j