CVE-2022-36136 The latest version of the ChurchCRM XSS vulnerabilities allow attackers to store XSS.
An attacker can use XSS to steal the user’s name, email, phone number, address, or other information stored in the system. Attackers can also use XSS to change the Deposit Comment to something malicious.
In addition to XSS, attackers can also use injection to store malicious script in the system. Attackers can also use injection to change the Deposit Comment to something malicious.
XSS and injection may allow an attacker to steal user’s name, email, phone number, address, or other information stored in the system. XSS can also be used to change the Deposit Comment to something malicious.
How many people are affected by this?
The number of people who are affected by this is difficult to estimate because many companies have not fixed the vulnerability.
How Does XSS Works?
To use XSS, an attacker has to inject malicious script into the system. For example, the attacker could inject JavaScript code that would change your browser’s address bar to say www.evil-site.com.
How does XSS attack work?
XSS attacks work by injecting malicious script into a web site or application. The malicious script would normally be executed by the server, but an attacker could also carry out these attacks through client-side code. An attacker could access data stored on the server and send requests with malicious data to cause XSS attacks.
When browsing a web site, if you view another user’s account information and click “Submit Comment”, the system will execute your code and send it to the server. If an attacker is able to inject malicious script into this form, then he/she would be able to steal the user’s name, email, phone number, address, or other information stored on the server. In this case, if an attacker had injected malicious script into the form which changed the “Comment” field to something else (e.g., "DECEITFUL"), then that comment would be sent to the server when it was submitted by someone else.
Timeline
Published on: 11/29/2022 04:15:00 UTC
Last modified on: 11/30/2022 03:57:00 UTC