CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25892
https://notcve.org/view.php?id=CVE-2024-25892
21 Feb 2024 — ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter. ChurchCRM 5.5.0 ConfirmReport.php es vulnerable a la inyección SQL ciega (basada en tiempo) a través del parámetro GET familyId. • https://github.com/ChurchCRM/CRM/issues/6858 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25893
https://notcve.org/view.php?id=CVE-2024-25893
21 Feb 2024 — ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. ChurchCRM 5.5.0 FRCertificates.php es vulnerable a la inyección ciega de SQL (basada en el tiempo) a través del parámetro GET CurrentFundraiser. • https://github.com/ChurchCRM/CRM/issues/6856 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25894
https://notcve.org/view.php?id=CVE-2024-25894
21 Feb 2024 — ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter. ChurchCRM 5.5.0 /EventEditor.php es vulnerable a la inyección SQL ciega (basada en el tiempo) a través del parámetro POST EventCount. • https://github.com/ChurchCRM/CRM/issues/6849 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25895
https://notcve.org/view.php?id=CVE-2024-25895
21 Feb 2024 — A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php Una vulnerabilidad Cross-Site Scripting (XSS) Reflejada en ChurchCRM 5.5.0 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro de tipo /EventAttendance.php • https://github.com/ChurchCRM/CRM/issues/6853 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 12%CPEs: 1EXPL: 1CVE-2024-25897
https://notcve.org/view.php?id=CVE-2024-25897
21 Feb 2024 — ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. ChurchCRM 5.5.0 FRCatalog.php es vulnerable a la inyección SQL ciega (basada en el tiempo) a través del parámetro GET CurrentFundraiser. • https://github.com/i-100-user/CVE-2024-25897 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25898
https://notcve.org/view.php?id=CVE-2024-25898
21 Feb 2024 — A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php. Se encontró una vulnerabilidad XSS en la funcionalidad ChurchCRM v.5.5.0, edite su evento, donde se puede insertar código JS o HTML malicioso en el campo Event Sermon en EventEditor.php. • https://github.com/ChurchCRM/CRM/issues/6851 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 2%CPEs: 1EXPL: 1CVE-2020-28848
https://notcve.org/view.php?id=CVE-2020-28848
11 Aug 2023 — CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. Una vulnerabilidad de inyección CSV en ChurchCRM versión 4.2.0, permite a atacantes remotos ejecutar código arbitrario a través de un archivo CSV manipulado. • https://github.com/ChurchCRM/CRM/issues/5465 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28849
https://notcve.org/view.php?id=CVE-2020-28849
11 Aug 2023 — Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. Una vulnerabilidad de Cross-Site Scripting (XSS) en ChurchCRM v4.2.1 permite a atacantes remotos ejecutar código arbitrario y obtener información confidencial a través de un payload manipulado en el campo "Add New Deposit" del módulo "View All Deposit". • https://github.com/ChurchCRM/CRM/issues/5477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38762
https://notcve.org/view.php?id=CVE-2023-38762
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths parameter within the /QueryView.php. • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38760
https://notcve.org/view.php?id=CVE-2023-38760
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the role and gender parameters within the /QueryView.php component. • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •