Vulnerabilities > Churchcrm > High

DATE CVE VULNERABILITY TITLE RISK
2023-08-08 CVE-2023-38771 SQL Injection vulnerability in Churchcrm 5.0.0
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp parameter within the /QueryView.php.
network
low complexity
churchcrm CWE-89
7.5
7.5
2023-08-08 CVE-2023-38773 SQL Injection vulnerability in Churchcrm 5.0.0
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.
network
low complexity
churchcrm CWE-89
7.5
7.5
2023-05-04 CVE-2023-29842 SQL Injection vulnerability in Churchcrm 4.5.4
ChurchCRM 4.5.4 endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
network
low complexity
churchcrm CWE-89
8.8
8.8
2023-04-25 CVE-2023-25348 Improper Neutralization of Formula Elements in a CSV File vulnerability in Churchcrm 4.5.3
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person.
local
low complexity
churchcrm CWE-1236
7.8
7.8
2023-04-04 CVE-2023-26855 Use of Insufficiently Random Values vulnerability in Churchcrm 4.5.3
The hashing algorithm of ChurchCRM v4.5.3 utilizes a non-random salt value which allows attackers to use precomputed hash tables or dictionary attacks to crack the hashed passwords.
network
low complexity
churchcrm CWE-330
7.5
7.5
2023-02-09 CVE-2023-24684 SQL Injection vulnerability in Churchcrm
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php.
network
low complexity
churchcrm CWE-89
7.2
7.2
2023-02-09 CVE-2023-24685 SQL Injection vulnerability in Churchcrm
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module.
network
low complexity
churchcrm CWE-89
7.2
7.2
2022-06-08 CVE-2022-31325 SQL Injection vulnerability in Churchcrm 4.4.5
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
network
low complexity
churchcrm CWE-89
7.2
7.2
2022-05-15 CVE-2021-41965 SQL Injection vulnerability in Churchcrm
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.
network
low complexity
churchcrm CWE-89
8.8
8.8