Vulnerabilities > Churchcrm > Churchcrm > 3.3.0
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2025-02-19 | CVE-2025-1024 | Cross-site Scripting vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. | 4.8 |
| 2025-02-19 | CVE-2025-1132 | SQL Injection vulnerability in Churchcrm A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. | 8.8 |
| 2025-02-19 | CVE-2025-1133 | SQL Injection vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. | 7.2 |
| 2025-02-19 | CVE-2025-1134 | SQL Injection vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. | 7.2 |
| 2025-02-19 | CVE-2025-1135 | SQL Injection vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0. | 7.2 |
| 2025-02-18 | CVE-2025-0981 | Cross-site Scripting vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. | 6.1 |
| 2025-02-18 | CVE-2025-1023 | SQL Injection vulnerability in Churchcrm A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. | 9.8 |
| 2024-07-26 | CVE-2024-39304 | SQL Injection vulnerability in Churchcrm ChurchCRM is an open-source church management system. | 8.8 |
| 2023-08-11 | CVE-2020-28849 | Cross-site Scripting vulnerability in Churchcrm Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. | 5.4 |
| 2023-02-09 | CVE-2023-24684 | SQL Injection vulnerability in Churchcrm ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php. | 7.2 |