CVE-2025-68401 (CNNVD-202512-3166)
中文标题:
ChurchCRM 跨站脚本漏洞
英文标题:
ChurchCRM has Stored Cross-Site Scripting (XSS) vulnerability that leads to session theft and account takeover
漏洞描述
中文描述:
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 6.0.0之前版本存在跨站脚本漏洞,该漏洞源于存储用户输入的HTML/JS时清理和编码不足,可能导致存储型跨站脚本攻击。
英文描述:
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS). In affected contexts the script can access web origin data and perform privileged actions as the victim. Where session cookies are not marked HttpOnly, the script can read document.cookie, enabling session theft and account takeover. Version 6.0.0 patches the issue.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| ChurchCRM | CRM | < 6.0.0 | - | - |
cpe:2.3:a:churchcrm:crm:<_6.0.0:*:*:*:*:*:*:*
|
| churchcrm | churchcrm | * | - | - |
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
4.0 (cna)
MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-68401 |
2025-12-19 03:24:15 | 2026-01-12 02:12:30 |
| NVD | nvd_CVE-2025-68401 |
2025-12-19 03:25:39 | 2026-01-12 02:28:13 |
| CNNVD | cnnvd_CNNVD-202512-3166 |
2026-01-11 06:15:06 | 2026-01-12 02:38:02 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 跨站脚本
- cnnvd_id: 未提取 -> CNNVD-202512-3166
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']