CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2025-1024: Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees.php EID Parameter

8.4 CVSS

Description

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.

Classification

CVE ID: CVE-2025-1024

CVSS Base Severity: HIGH

CVSS Base Score: 8.4

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:L/U:Amber

Affected Products

Vendor: ChurchCRM

Product: ChurchCRM

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.03% (probability of being exploited)

EPSS Percentile: 5.23% (scored less or equal to compared to others)

EPSS Date: 2025-03-20 (when was this score calculated)

References

https://github.com/ChurchCRM/CRM/issues/7250

Timeline

2025-02-20 00:31:07 UTC
CVE

Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees.php EID Parameter