CVE-2023-31548
Published: 31 May 2023
Summary
CVE-2023-31548 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Churchcrm Churchcrm. Its CVSS base score is 5.4 (Medium).
Operationally, ranked in the top 3.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A stored cross-site scripting vulnerability exists in the FundRaiserEditor.php component of ChurchCRM version 4.5.3. The flaw, tracked as CVE-2023-31548 and assigned CWE-79, permits an authenticated user to supply a crafted payload that is stored and later rendered as arbitrary web scripts or HTML when the page is viewed by other users. The issue carries a CVSS 3.1 score of 5.4, reflecting network attack vector, low attack complexity, low privileges required, and required user interaction, with limited confidentiality and integrity impact under changed scope.
An attacker who can create or edit FundRaiser content can embed malicious scripts that execute in the browsers of other authenticated users, enabling actions such as session hijacking, privilege escalation within the application, or theft of sensitive data displayed to those users. Because the payload persists in the database, the attack does not require repeated delivery after the initial injection.
The EPSS score for this CVE stands at 0.2350 with no material increase from its initial value, indicating limited observed exploitation interest to date. Public disclosure materials are limited to researcher repositories that reproduce the issue but contain no official patch guidance or mitigation statements from the ChurchCRM project.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-35849
Vulnerability details
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.