CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25895
https://notcve.org/view.php?id=CVE-2024-25895
21 Feb 2024 — A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php Una vulnerabilidad Cross-Site Scripting (XSS) Reflejada en ChurchCRM 5.5.0 permite a atacantes remotos inyectar script web o HTML arbitrario a través del parámetro de tipo /EventAttendance.php • https://github.com/ChurchCRM/CRM/issues/6853 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25891
https://notcve.org/view.php?id=CVE-2024-25891
21 Feb 2024 — ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. ChurchCRM 5.5.0 FRBidSheets.php es vulnerable a la inyección ciega de SQL (basada en el tiempo) a través del parámetro GET CurrentFundraiser. • https://github.com/ChurchCRM/CRM/issues/6856 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25893
https://notcve.org/view.php?id=CVE-2024-25893
21 Feb 2024 — ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. ChurchCRM 5.5.0 FRCertificates.php es vulnerable a la inyección ciega de SQL (basada en el tiempo) a través del parámetro GET CurrentFundraiser. • https://github.com/ChurchCRM/CRM/issues/6856 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-25897
https://notcve.org/view.php?id=CVE-2024-25897
21 Feb 2024 — ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. ChurchCRM 5.5.0 FRCatalog.php es vulnerable a la inyección SQL ciega (basada en el tiempo) a través del parámetro GET CurrentFundraiser. • https://github.com/i-100-user/CVE-2024-25897 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-25898
https://notcve.org/view.php?id=CVE-2024-25898
21 Feb 2024 — A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php. Se encontró una vulnerabilidad XSS en la funcionalidad ChurchCRM v.5.5.0, edite su evento, donde se puede insertar código JS o HTML malicioso en el campo Event Sermon en EventEditor.php. • https://github.com/ChurchCRM/CRM/issues/6851 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28849
https://notcve.org/view.php?id=CVE-2020-28849
11 Aug 2023 — Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. Una vulnerabilidad de Cross-Site Scripting (XSS) en ChurchCRM v4.2.1 permite a atacantes remotos ejecutar código arbitrario y obtener información confidencial a través de un payload manipulado en el campo "Add New Deposit" del módulo "View All Deposit". • https://github.com/ChurchCRM/CRM/issues/5477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28848
https://notcve.org/view.php?id=CVE-2020-28848
11 Aug 2023 — CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. Una vulnerabilidad de inyección CSV en ChurchCRM versión 4.2.0, permite a atacantes remotos ejecutar código arbitrario a través de un archivo CSV manipulado. • https://github.com/ChurchCRM/CRM/issues/5465 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38773
https://notcve.org/view.php?id=CVE-2023-38773
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php. Una vulnerabilidad de inyección SQL en ChurchCRM v5.0.0 permite a un atacante remoto obtener información sensible a través de los parámetros "volopp1" y "volopp2" dentro de "/QueryView.php". • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38763
https://notcve.org/view.php?id=CVE-2023-38763
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the FundRaiserID parameter within the /FundRaiserEditor.php endpoint. • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38765
https://notcve.org/view.php?id=CVE-2023-38765
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php. • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •