CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25347
https://notcve.org/view.php?id=CVE-2023-25347
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25347 https://github.com/ChurchCRM/CRM • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25348
https://notcve.org/view.php?id=CVE-2023-25348
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348 https://github.com/ChurchCRM/CRM • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26855
https://notcve.org/view.php?id=CVE-2023-26855
The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords. • https://github.com/ChurchCRM/CRM/issues/6449 • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27059
https://notcve.org/view.php?id=CVE-2023-27059
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field. • https://github.com/ChurchCRM/CRM/issues/6450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24685 – ChurchCRM 4.5.3 SQL Injection
https://notcve.org/view.php?id=CVE-2023-24685
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module. ChurchCRM versions 4.5.3 and below suffer from a remote SQL injection vulnerability. • http://churchcrm.io http://packetstormsecurity.com/files/172047/ChurchCRM-4.5.3-SQL-Injection.html https://github.com/ChurchCRM/CRM https://github.com/blakduk/Advisories/blob/main/ChurchCRM/README.md • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •