CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33661
https://notcve.org/view.php?id=CVE-2023-33661
Multiple cross-site scripting (XSS) vulnerabilities were discovered in Church CRM v4.5.3 in GroupReports.php via GroupRole, ReportModel, and OnlyCart parameters. • https://github.com/ChurchCRM/CRM/issues/6474 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31548
https://notcve.org/view.php?id=CVE-2023-31548
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-31548 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26842
https://notcve.org/view.php?id=CVE-2023-26842
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26842 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-31699 – ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
https://notcve.org/view.php?id=CVE-2023-31699
ChurchCRM v4.5.4 is vulnerable to Reflected Cross-Site Scripting (XSS) via image file. • https://www.exploit-db.com/exploits/51477 https://github.com/ChurchCRM/CRM/issues/6471 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2023-29842 – ChurchCRM 4.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2023-29842
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability. • http://packetstormsecurity.com/files/175105/ChurchCRM-4.5.4-SQL-Injection.html https://github.com/ChurchCRM/CRM https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.py • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •