CVE-2025-65187 is a stored Cross-Site Scripting (XSS) vulnerability identified in CiviCRM, an open-source constituent relationship management system widely used by non-profits, NGOs, and public sector organizations. The vulnerability exists in the Accounting Batches field prior to version 6.7. An authenticated user can inject malicious JavaScript payloads into this field, which are then stored persistently in the application database. When any user views the affected page containing the malicious input, the script executes in their browser context. This can lead to session hijacking, unauthorized actions performed on behalf of the user, or the theft of sensitive information accessible via the browser. The vulnerability requires authentication but no special privileges, and user interaction is necessary to trigger the payload execution. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) indicates network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality and integrity, with no availability impact. No known exploits have been reported in the wild, and no official patches were linked at the time of disclosure, though upgrading to version 6.7 or later is recommended. The vulnerability is categorized under CWE-79, which covers improper neutralization of input during web page generation leading to XSS. This flaw highlights the importance of proper input validation and output encoding in web applications handling user-generated content.

For European organizations, particularly NGOs, charities, and public sector bodies that rely heavily on CiviCRM for managing constituent data and accounting processes, this vulnerability poses a risk of client-side script injection. Exploitation could lead to unauthorized access to user sessions, data theft, or manipulation of user interface elements, undermining trust and potentially exposing sensitive personal or financial data. Although the impact on availability is negligible, the confidentiality and integrity of data accessed via the browser can be compromised. Given the collaborative nature of many European organizations and the regulatory environment (e.g., GDPR), even limited data leakage or unauthorized actions could result in compliance violations and reputational damage. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with many users or insufficient access controls. The lack of known exploits reduces immediate urgency but does not preclude targeted attacks or exploitation in the future.

1. Upgrade CiviCRM to version 6.7 or later where the vulnerability is addressed. 2. Implement strict input validation on the Accounting Batches field to disallow or sanitize potentially malicious scripts. 3. Apply output encoding/escaping on all user-generated content before rendering it in the browser to prevent script execution. 4. Restrict access to the Accounting Batches field to trusted and minimal users to reduce the risk of malicious input. 5. Conduct regular security audits and code reviews focusing on input handling and output rendering. 6. Educate users about the risks of clicking on suspicious links or interacting with untrusted content within the CRM. 7. Monitor logs for unusual activity related to the Accounting Batches field or unexpected script injections. 8. Consider deploying Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the browser context. 9. If immediate upgrade is not possible, implement web application firewall (WAF) rules to detect and block common XSS payloads targeting this field.