CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2024-39304 – ChurchCRM SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2024-39304
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue. • https://github.com/apena-ba/CVE-2024-39304 https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28848
https://notcve.org/view.php?id=CVE-2020-28848
CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. Una vulnerabilidad de inyección CSV en ChurchCRM versión 4.2.0, permite a atacantes remotos ejecutar código arbitrario a través de un archivo CSV manipulado. • https://github.com/ChurchCRM/CRM/issues/5465 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28849
https://notcve.org/view.php?id=CVE-2020-28849
Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. Una vulnerabilidad de Cross-Site Scripting (XSS) en ChurchCRM v4.2.1 permite a atacantes remotos ejecutar código arbitrario y obtener información confidencial a través de un payload manipulado en el campo "Add New Deposit" del módulo "View All Deposit". • https://github.com/ChurchCRM/CRM/issues/5477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38769
https://notcve.org/view.php?id=CVE-2023-38769
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php. Una vulnerabilidad de inyección SQL en ChurchCRM v5.0.0 permite a un atacante remoto obtener información sensible a través de los parámetros "searchstring" y "searchwhat" dentro de "/QueryView.php". • https://churchcrm.io https://demo.churchcrm.io/master https://github.com/0x72303074/CVE-Disclosures https://github.com/ChurchCRM/CRM/wiki • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2023-38764
https://notcve.org/view.php?id=CVE-2023-38764
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and percls parameters within the /QueryView.php. • https://churchcrm.io https://demo.churchcrm.io/master https://github.com/0x72303074/CVE-Disclosures https://github.com/ChurchCRM/CRM/wiki • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •