CVE-2024-25895 is a reflected cross-site scripting (XSS) vulnerability affecting ChurchCRM version 5.5.0, specifically in the /EventAttendance.php script. The vulnerability arises because the application fails to properly sanitize or encode the 'type' parameter before reflecting it back in the HTTP response. This allows an attacker to craft a malicious URL containing JavaScript or HTML code that executes in the victim's browser when the link is clicked. Since the vulnerability is reflected, it requires user interaction to trigger the attack. The vulnerability does not require any authentication, making it accessible to unauthenticated remote attackers. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no impact on availability. The scope change means the vulnerability affects resources beyond the vulnerable component, potentially impacting the entire web application session. No patches or official fixes have been published yet, and no exploits have been reported in the wild. The vulnerability is classified under CWE-79, which covers improper neutralization of input during web page generation leading to XSS.

The primary impact of this vulnerability is the potential for attackers to execute arbitrary scripts in the context of the vulnerable ChurchCRM web application. This can lead to session hijacking, theft of sensitive user information, defacement, or redirection to malicious sites. For organizations using ChurchCRM to manage church-related data, this could compromise member privacy and trust. Although the impact on availability is none, the confidentiality and integrity of user sessions and data are at risk. Since the vulnerability requires user interaction, the attack surface is somewhat limited but still significant, especially if attackers can lure users into clicking malicious links via email or social media. The scope change in the CVSS vector suggests that the vulnerability could affect multiple components or user sessions, increasing potential damage. The lack of known exploits reduces immediate risk, but the absence of patches means the vulnerability remains open to future exploitation.

Until an official patch is released, organizations should implement several specific mitigations: 1) Employ web application firewalls (WAFs) with rules to detect and block reflected XSS payloads targeting the 'type' parameter in /EventAttendance.php. 2) Educate users and administrators about the risks of clicking untrusted links, especially those purporting to come from ChurchCRM. 3) Implement Content Security Policy (CSP) headers to restrict the execution of inline scripts and reduce the impact of XSS attacks. 4) Review and sanitize all user inputs on the server side, particularly the 'type' parameter, if custom modifications or temporary fixes are possible. 5) Monitor web server logs for suspicious requests containing script tags or unusual parameters targeting /EventAttendance.php. 6) Isolate ChurchCRM instances from critical internal networks to limit lateral movement if exploitation occurs. 7) Plan for rapid deployment of official patches once available and test updates in a staging environment before production rollout.