CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25346
https://notcve.org/view.php?id=CVE-2023-25346
25 Apr 2023 — A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25346 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26840
https://notcve.org/view.php?id=CVE-2023-26840
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26840 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26841
https://notcve.org/view.php?id=CVE-2023-26841
25 Apr 2023 — A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26841 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26855
https://notcve.org/view.php?id=CVE-2023-26855
04 Apr 2023 — The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords. • https://github.com/ChurchCRM/CRM/issues/6449 • CWE-330: Use of Insufficiently Random Values •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-27059
https://notcve.org/view.php?id=CVE-2023-27059
16 Mar 2023 — A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field. • https://github.com/ChurchCRM/CRM/issues/6450 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24690
https://notcve.org/view.php?id=CVE-2023-24690
09 Feb 2023 — ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family. • http://churchcrm.io • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24684
https://notcve.org/view.php?id=CVE-2023-24684
09 Feb 2023 — ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php. • http://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24686
https://notcve.org/view.php?id=CVE-2023-24686
09 Feb 2023 — An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file. • http://churchcrm.io • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 3CVE-2023-24685 – ChurchCRM 4.5.1 SQL Injection
https://notcve.org/view.php?id=CVE-2023-24685
09 Feb 2023 — ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module. ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability. • https://packetstorm.news/files/id/171805 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36136
https://notcve.org/view.php?id=CVE-2022-36136
29 Nov 2022 — ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment. ChurchCRM Versión 4.4.5 tiene vulnerabilidades XSS que permiten a los atacantes almacenar XSS mediante la entrada de ubicación, Comentario de Depósito. • https://github.com/ChurchCRM/CRM/releases/tag/4.4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •