CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36137
https://notcve.org/view.php?id=CVE-2022-36137
29 Nov 2022 — ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader. ChurchCRM Versión 4.4.5 tiene vulnerabilidades XSS que permiten a los atacantes almacenar XSS a través del encabezado de entrada de ubicación. • https://github.com/ChurchCRM/CRM/releases/tag/4.4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31325 – ChurchCRM 4.4.5 - SQLi
https://notcve.org/view.php?id=CVE-2022-31325
08 Jun 2022 — There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. Se presenta una vulnerabilidad de inyección SQL en ChurchCRM versión 4.4.5, por medio del campo "PersonID" en el archivo /churchcrm/WhyCameEditor.php ChurchCRM version 4.4.5 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/50965 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41965
https://notcve.org/view.php?id=CVE-2021-41965
15 May 2022 — A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed. Se presenta una vulnerabilidad de inyección SQL en ChurchCRM versiones 2.0.0 a 4.4.5, que permite a un atacante autenticado emitir un comando SQL arbitrario a la base de datos mediante los campos EN_tyid, theID y EID no saneados u... • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •