CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33661
https://notcve.org/view.php?id=CVE-2023-33661
28 Jun 2023 — Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters. • https://github.com/ChurchCRM/CRM/issues/6474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31548
https://notcve.org/view.php?id=CVE-2023-31548
31 May 2023 — A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-31548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26842
https://notcve.org/view.php?id=CVE-2023-26842
31 May 2023 — A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31699 – ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
https://notcve.org/view.php?id=CVE-2023-31699
17 May 2023 — ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file. • https://www.exploit-db.com/exploits/51477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 4CVE-2023-29842 – ChurchCRM 4.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2023-29842
04 May 2023 — ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability. • https://packetstorm.news/files/id/175105 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25347
https://notcve.org/view.php?id=CVE-2023-25347
25 Apr 2023 — A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25347 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25348
https://notcve.org/view.php?id=CVE-2023-25348
25 Apr 2023 — ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26839
https://notcve.org/view.php?id=CVE-2023-26839
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26839 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26843
https://notcve.org/view.php?id=CVE-2023-26843
25 Apr 2023 — A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26843 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25346
https://notcve.org/view.php?id=CVE-2023-25346
25 Apr 2023 — A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25346 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •