CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28849
https://notcve.org/view.php?id=CVE-2020-28849
11 Aug 2023 — Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. Una vulnerabilidad de Cross-Site Scripting (XSS) en ChurchCRM v4.2.1 permite a atacantes remotos ejecutar código arbitrario y obtener información confidencial a través de un payload manipulado en el campo "Add New Deposit" del módulo "View All Deposit". • https://github.com/ChurchCRM/CRM/issues/5477 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2020-28848
https://notcve.org/view.php?id=CVE-2020-28848
11 Aug 2023 — CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. Una vulnerabilidad de inyección CSV en ChurchCRM versión 4.2.0, permite a atacantes remotos ejecutar código arbitrario a través de un archivo CSV manipulado. • https://github.com/ChurchCRM/CRM/issues/5465 • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24690
https://notcve.org/view.php?id=CVE-2023-24690
09 Feb 2023 — ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family. • http://churchcrm.io • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24684
https://notcve.org/view.php?id=CVE-2023-24684
09 Feb 2023 — ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php. • http://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-24686
https://notcve.org/view.php?id=CVE-2023-24686
09 Feb 2023 — An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file. • http://churchcrm.io • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.3EPSS: 0%CPEs: 1EXPL: 3CVE-2023-24685 – ChurchCRM 4.5.1 SQL Injection
https://notcve.org/view.php?id=CVE-2023-24685
09 Feb 2023 — ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module. ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability. • https://packetstorm.news/files/id/171805 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36136
https://notcve.org/view.php?id=CVE-2022-36136
29 Nov 2022 — ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment. ChurchCRM Versión 4.4.5 tiene vulnerabilidades XSS que permiten a los atacantes almacenar XSS mediante la entrada de ubicación, Comentario de Depósito. • https://github.com/ChurchCRM/CRM/releases/tag/4.4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1CVE-2022-36137
https://notcve.org/view.php?id=CVE-2022-36137
29 Nov 2022 — ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader. ChurchCRM Versión 4.4.5 tiene vulnerabilidades XSS que permiten a los atacantes almacenar XSS a través del encabezado de entrada de ubicación. • https://github.com/ChurchCRM/CRM/releases/tag/4.4.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 2CVE-2022-31325 – ChurchCRM 4.4.5 - SQLi
https://notcve.org/view.php?id=CVE-2022-31325
08 Jun 2022 — There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php. Se presenta una vulnerabilidad de inyección SQL en ChurchCRM versión 4.4.5, por medio del campo "PersonID" en el archivo /churchcrm/WhyCameEditor.php ChurchCRM version 4.4.5 suffers from a remote SQL injection vulnerability. • https://www.exploit-db.com/exploits/50965 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-41965
https://notcve.org/view.php?id=CVE-2021-41965
15 May 2022 — A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed. Se presenta una vulnerabilidad de inyección SQL en ChurchCRM versiones 2.0.0 a 4.4.5, que permite a un atacante autenticado emitir un comando SQL arbitrario a la base de datos mediante los campos EN_tyid, theID y EID no saneados u... • https://churchcrm.io • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •