CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38771
https://notcve.org/view.php?id=CVE-2023-38771
08 Aug 2023 — SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp parameter within the /QueryView.php. Una vulnerabilidad de inyección SQL en ChurchCRM v5.0.0 permite a un atacante remoto obtener información sensible a través del parámetro "volopp" dentro de "/QueryView.php". • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33661
https://notcve.org/view.php?id=CVE-2023-33661
28 Jun 2023 — Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters. • https://github.com/ChurchCRM/CRM/issues/6474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 17%CPEs: 1EXPL: 1CVE-2023-26842
https://notcve.org/view.php?id=CVE-2023-26842
31 May 2023 — A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 19%CPEs: 1EXPL: 1CVE-2023-31548
https://notcve.org/view.php?id=CVE-2023-31548
31 May 2023 — A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-31548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31699 – ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
https://notcve.org/view.php?id=CVE-2023-31699
17 May 2023 — ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file. • https://www.exploit-db.com/exploits/51477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 4CVE-2023-29842 – ChurchCRM 4.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2023-29842
04 May 2023 — ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability. • https://packetstorm.news/files/id/175105 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25348
https://notcve.org/view.php?id=CVE-2023-25348
25 Apr 2023 — ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25348 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26839
https://notcve.org/view.php?id=CVE-2023-26839
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26839 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26841
https://notcve.org/view.php?id=CVE-2023-26841
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26841 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26840
https://notcve.org/view.php?id=CVE-2023-26840
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26840 • CWE-352: Cross-Site Request Forgery (CSRF) •