[CVE-2022–36136]ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at Deposit Commend
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>
- ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
- Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)
Steps to attack:
- Login with admin credential.
2. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.
3. After press the “Add New Deposit” button The XSS payload will run immediately.
Grim The Ripper Team by SOSECURE Thailand