CVE-2024-36647 is a stored cross-site scripting (XSS) vulnerability identified in Church CRM version 5.8.0. The vulnerability arises from insufficient input sanitization on the Family Name parameter within the 'Register a New Family' page, allowing attackers with at least limited privileges to inject malicious JavaScript or HTML code. When a victim user accesses the affected page or views the injected data, the malicious script executes in their browser context, potentially leading to session hijacking, unauthorized actions, or data theft. The vulnerability requires user interaction (such as viewing the malicious entry) and privileges to submit data, which limits its exploitation scope. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, requiring privileges and user interaction, with a scope change and limited confidentiality and integrity impact but no availability impact. No public exploits or patches have been reported yet, so organizations must rely on mitigation strategies until an official fix is released. The vulnerability is classified under CWE-79, a common web application security issue related to improper neutralization of input leading to XSS.

The primary impact of this vulnerability is the potential compromise of confidentiality and integrity within Church CRM installations. Attackers can execute arbitrary scripts in the context of authenticated users, potentially stealing session tokens, performing unauthorized actions, or defacing web content. This can lead to unauthorized access to sensitive community or member data managed by the CRM. Since the vulnerability requires limited privileges and user interaction, the risk is somewhat contained but still significant in environments where multiple users access the CRM interface. Religious organizations and community groups relying on Church CRM may face reputational damage and data privacy concerns if exploited. The absence of known exploits reduces immediate risk, but the public disclosure increases the likelihood of future exploitation attempts.

Organizations should implement strict input validation and output encoding on the Family Name parameter and any other user-supplied inputs to prevent script injection. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in the browser. Limit user privileges to the minimum necessary to reduce the attack surface. Monitor logs for suspicious input patterns or unusual user activity related to family registration. Until an official patch is released, consider temporarily disabling or restricting access to the vulnerable functionality if feasible. Educate users about the risks of interacting with untrusted inputs within the CRM interface. Regularly check for vendor updates or security advisories to apply patches promptly once available.