CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24685 – ChurchCRM 4.5.3 SQL Injection
https://notcve.org/view.php?id=CVE-2023-24685
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module. ChurchCRM versions 4.5.3 and below suffer from a remote SQL injection vulnerability. • http://churchcrm.io http://packetstormsecurity.com/files/172047/ChurchCRM-4.5.3-SQL-Injection.html https://github.com/ChurchCRM/CRM https://github.com/blakduk/Advisories/blob/main/ChurchCRM/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41965
https://notcve.org/view.php?id=CVE-2021-41965
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed. Se presenta una vulnerabilidad de inyección SQL en ChurchCRM versiones 2.0.0 a 4.4.5, que permite a un atacante autenticado emitir un comando SQL arbitrario a la base de datos mediante los campos EN_tyid, theID y EID no saneados usados cuando es llevado a cabo una acción de edición en un registro existente • https://churchcrm.io https://www.alexbilz.com/post/2022-05-14-cve-2021-41965 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •