Lucene search
Rahad Chowdhury1337DAY-ID-38693HistoryMay 19, 2023 - 12:00 a.m.
ChurchCRM 4.5.4 Cross Site Scripting Vulnerability
2023-05-1900:00:00
Rahad Chowdhury
0day.today
179
churchcrm
cross site scripting
vulnerability
image
authenticated
csv import
exiftool
apache
cve-2023-31699
0.001 Low
EPSS
Percentile
25.8%
# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: http://churchcrm.io/
# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4
# Version: 4.5.4
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-31699
Steps to Reproduce:
1. At first login your admin panel.
2. Then click "Admin" menu and click "CSV Import" and you will get CSV file
uploder option.
3. now insert xss payload in jpg file using exiftool or from image
properties and then upload the jpg file.
4. you will see XSS pop up.
Related
osv
osv
CVE-2023-31699
2023-05-17 13:15:09
cnvd
cnvd
ChurchCRM Cross-Site Scripting Vulnerability (CNVD-2023-64495)
2023-05-19 00:00:00
cve
cve
CVE-2023-31699
2023-05-17 13:15:09
nvd
nvd
CVE-2023-31699
2023-05-17 13:15:09
cvelist
cvelist
CVE-2023-31699
2023-05-17 00:00:00
prion
prion
Cross site scripting
2023-05-17 13:15:00
packetstorm
packetstorm
ChurchCRM 4.5.4 Cross Site Scripting
2023-05-19 00:00:00
exploitdb
exploitdb
ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
2023-05-23 00:00:00