CVE-2026-39332
🟡 Monitoruj
Refleksyjna podatność XSS w ChurchCRM pozwala na kradzież ciasteczek sesyjnych przez uwierzytelnionych użytkowników.
CVSS
8.7
EPSS
0.0%
Exploit
none
Vendor
churchcrm
Opis źródłowy (NVD)
ChurchCRM is an open-source church management system. Prior to 7.1.0, a reflected Cross-Site Scripting (XSS) vulnerability in GeoPage.php allows any authenticated user to inject arbitrary JavaScript into the browser of another authenticated user. Because the payload fires automatically via autofocus with no user interaction required, an attacker can steal session cookies and fully take over any victim account, including administrator accounts, by tricking them into submitting a crafted form. This vulnerability is fixed in 7.1.0.
xss
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 8.7 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-07 18:16:44 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-10 20:58:07 UTC |
Referencje
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hc6g-h48v-wqvq (security-advisories@github.com) [Third Party Advisory]