ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection

Description

A vulnerability described as problematic has been identified in ChurchCRM up to 7.0.x. This affects the function sanitizeText of the file PersonView.php of the component HTML Attribute Handler. Such manipulation of the argument Facebook leads to HTML injection. The attack may be performed from remote.

Affected Products

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqp6-54p2-m66f(x_refsource_CONFIRM)

Related News (1 articles)