CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 3CVE-2023-29842 – ChurchCRM 4.5.4 SQL Injection
https://notcve.org/view.php?id=CVE-2023-29842
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. ChurchCRM version 4.5.4 suffers from a remote authenticated blind SQL injection vulnerability. • http://packetstormsecurity.com/files/175105/ChurchCRM-4.5.4-SQL-Injection.html https://github.com/ChurchCRM/CRM https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.py • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26840
https://notcve.org/view.php?id=CVE-2023-26840
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26840 https://github.com/ChurchCRM/CRM • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26841
https://notcve.org/view.php?id=CVE-2023-26841
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26841 https://github.com/ChurchCRM/CRM • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-26839
https://notcve.org/view.php?id=CVE-2023-26839
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-26839 https://github.com/ChurchCRM/CRM • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-25347
https://notcve.org/view.php?id=CVE-2023-25347
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. • https://github.com/10splayaSec/CVE-Disclosures/tree/main/ChurchCRM/CVE-2023-25347 https://github.com/ChurchCRM/CRM • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •