CVE-2025-65187 – A stored cross-site scripting (XSS) vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-65187?

CVE-2025-65187 has a CVSS score of 6.1 (MEDIUM). A stored cross-site scripting (XSS) vulnerability in CiviCRM allows authenticated users to inject malicious JavaScript into the Accounting Batches field. This script executes whenever the vulnerable page is viewed, potentially compromising other users' sessions. Organizations using CiviCRM versions before 6.7 are affected.

📋 TL;DR

A stored cross-site scripting (XSS) vulnerability in CiviCRM allows authenticated users to inject malicious JavaScript into the Accounting Batches field. This script executes whenever the vulnerable page is viewed, potentially compromising other users' sessions. Organizations using CiviCRM versions before 6.7 are affected.

💻 Affected Systems

Products:

CiviCRM

Versions: All versions before 6.7

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to the Accounting Batches functionality.

📦 What is this software?

Civicrm by Civicrm

View all CVEs affecting Civicrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal administrator credentials, hijack user sessions, deface the application, or redirect users to malicious sites, potentially leading to full system compromise.

🟠

Likely Case

Authenticated attackers with malicious intent could steal session cookies, perform actions as other users, or deploy phishing attacks against other users.

🟢

If Mitigated

With proper input validation and output encoding, the malicious payload would be rendered harmless as text rather than executable code.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.7 and later

Vendor Advisory: https://civicrm.com/

Restart Required: No

Instructions:

1. Backup your CiviCRM installation and database. 2. Download CiviCRM version 6.7 or later from the official website. 3. Follow the standard upgrade procedure for your CMS (Drupal, WordPress, or Joomla). 4. Verify the upgrade completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize the Accounting Batches field

Implement custom validation in CiviCRM code to strip or encode HTML/JavaScript from the Accounting Batches field

Content Security Policy

all

Implement a strict Content Security Policy header to prevent script execution

Add Content-Security-Policy header with script-src 'self' directive

🧯 If You Can't Patch

Restrict access to Accounting Batches functionality to only trusted administrators
Implement web application firewall rules to block XSS payloads in the affected field

🔍 How to Verify

Check if Vulnerable:

Check CiviCRM version in administration panel or via database query: SELECT version FROM civicrm_domain

Check Version:

SELECT version FROM civicrm_domain LIMIT 1;

Verify Fix Applied:

After upgrade, verify version is 6.7 or higher and test that JavaScript in Accounting Batches field is properly sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual JavaScript payloads in Accounting Batches field submissions
Multiple failed login attempts followed by Accounting Batches access

Network Indicators:

Outbound connections to suspicious domains from CiviCRM sessions
Unusual POST requests to Accounting Batches endpoints

SIEM Query:

source="civicrm.log" AND ("Accounting Batches" AND ("<script>" OR "javascript:" OR "onerror=" OR "onload="))

📊 Metadata

CVE ID: CVE-2025-65187

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.05% exploit probability (15.6th percentile)

Published: December 2, 2025

Last Updated: December 23, 2025

🔗 References

https://civicrm.com/ Product
https://github.com/lukehebe/Vulnerability-Disclosures/blob/main/CVE-2025-65187.pdf Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-65187, you might also want to check these: