CVE-2025-1024

Published Feb 19, 2025

Last updated 4 days ago

CVSS high 8.4

Overview

Description
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.
Source
b7efe717-a805-47cf-8e9a-921fca0ce0ce
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
8.4
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:L/U:Amber
Severity
HIGH

Weaknesses

b7efe717-a805-47cf-8e9a-921fca0ce0ce
CWE-287

Social media

Hype score
Not currently trending

  1. [CVE-2025-1024: HIGH] Vulnerability in ChurchCRM 5.13.0 enables XSS attack on EditEventAttendees.php, granting attacker admin privileges. Exploitation leads to cookie theft and unauthorized app access.#cybersecurity,#vulnerability https://t.co/23PQZKVEeD https://t.co/6m6NW4OxTs

    @CveFindCom

    19 Feb 2025

    16 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

References