What is the severity of CVE-2025-1024?

CVE-2025-1024 has a medium severity rating due to its potential for exploitation via reflected cross-site scripting.

How do I fix CVE-2025-1024?

To fix CVE-2025-1024, update ChurchCRM to the latest version where this vulnerability has been patched.

Who is affected by CVE-2025-1024?

Users with Administration privileges in ChurchCRM 5.13.0 are affected by CVE-2025-1024.

What does CVE-2025-1024 exploit?

CVE-2025-1024 exploits the EID parameter on the EditEventAttendees.php page to execute arbitrary JavaScript.

What type of vulnerability is CVE-2025-1024?

CVE-2025-1024 is a Reflected Cross-Site Scripting (XSS) vulnerability.

Vulnerability/
CVE-2025-1024

high

8.4

CWE

287 79

19/2/2025

CVE-2025-1024: Session Hijacking via Reflected Cross-Site Scripting (XSS) in ChurchCRM EditEventAttendees.php EID Parameter

First published: Wed Feb 19 2025(Updated: )

A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application.

Credit: b7efe717-a805-47cf-8e9a-921fca0ce0ce

Affected Software	Affected Version	How to fix
ChurchCRM

Remedy

To mitigate this vulnerability, implement output encoding to prevent malicious script injection in user-controlled input fields, ensure that session cookies are set with the HttpOnly and Secure flags to protect them from client-side access, and validate and sanitize user input before reflecting it in web pages.

Never miss a vulnerability like this again

Reference Links

https://github.com/ChurchCRM/CRM/issues/7250

Frequently Asked Questions

What is the severity of CVE-2025-1024?
CVE-2025-1024 has a medium severity rating due to its potential for exploitation via reflected cross-site scripting.
How do I fix CVE-2025-1024?
To fix CVE-2025-1024, update ChurchCRM to the latest version where this vulnerability has been patched.
Who is affected by CVE-2025-1024?
Users with Administration privileges in ChurchCRM 5.13.0 are affected by CVE-2025-1024.
What does CVE-2025-1024 exploit?
CVE-2025-1024 exploits the EID parameter on the EditEventAttendees.php page to execute arbitrary JavaScript.
What type of vulnerability is CVE-2025-1024?
CVE-2025-1024 is a Reflected Cross-Site Scripting (XSS) vulnerability.

collector/mitre-cve
source/MITRE
agent/title
agent/remedy
agent/weakness
agent/references
agent/description
agent/type
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/softwarecombine
collector/nvd-api
source/NVD
agent/severity
agent/author
agent/last-modified-date
agent/source
agent/tags
agent/event
vendor/churchcrm
canonical/churchcrm

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.