Vulnerabilities > Churchcrm

DATE CVE VULNERABILITY TITLE RISK
2023-05-04 CVE-2023-29842 SQL Injection vulnerability in Churchcrm 4.5.4
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
network
low complexity
churchcrm CWE-89
8.8
2023-04-25 CVE-2023-25346 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
network
low complexity
churchcrm CWE-79
6.1
2023-04-25 CVE-2023-25347 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields.
network
low complexity
churchcrm CWE-79
5.4
2023-04-25 CVE-2023-25348 Improper Neutralization of Formula Elements in a CSV File vulnerability in Churchcrm 4.5.3
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person.
local
low complexity
churchcrm CWE-1236
7.8
2023-04-25 CVE-2023-26839 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.
network
low complexity
churchcrm CWE-352
4.3
2023-04-25 CVE-2023-26840 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator.
network
high complexity
churchcrm CWE-352
5.3
2023-04-25 CVE-2023-26841 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.
network
low complexity
churchcrm CWE-352
6.5
2023-04-25 CVE-2023-26843 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
network
low complexity
churchcrm CWE-79
5.4
2023-04-04 CVE-2023-26855 Use of Insufficiently Random Values vulnerability in Churchcrm 4.5.3
The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.
network
low complexity
churchcrm CWE-330
7.5
2023-03-16 CVE-2023-27059 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.
network
low complexity
churchcrm CWE-79
5.4