Vulnerabilities > Churchcrm > Medium

DATE CVE VULNERABILITY TITLE RISK
2023-04-25 CVE-2023-26839 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.
network
low complexity
churchcrm CWE-352
4.3
2023-04-25 CVE-2023-26840 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator.
network
high complexity
churchcrm CWE-352
5.3
2023-04-25 CVE-2023-26841 Cross-Site Request Forgery (CSRF) vulnerability in Churchcrm 4.5.3
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.
network
low complexity
churchcrm CWE-352
6.5
2023-04-25 CVE-2023-26843 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
network
low complexity
churchcrm CWE-79
5.4
2023-03-16 CVE-2023-27059 Cross-site Scripting vulnerability in Churchcrm 4.5.3
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.
network
low complexity
churchcrm CWE-79
5.4
2023-02-09 CVE-2023-24686 Cross-site Scripting vulnerability in Churchcrm
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file.
network
low complexity
churchcrm CWE-79
4.8
2023-02-09 CVE-2023-24690 Cross-site Scripting vulnerability in Churchcrm
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
network
low complexity
churchcrm CWE-79
5.4
2022-11-29 CVE-2022-36136 Cross-site Scripting vulnerability in Churchcrm 4.4.5
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
network
low complexity
churchcrm CWE-79
4.8
2022-11-29 CVE-2022-36137 Cross-site Scripting vulnerability in Churchcrm 4.4.5
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
network
low complexity
churchcrm CWE-79
4.8
2022-05-15 CVE-2021-41965 SQL Injection vulnerability in Churchcrm
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.
network
low complexity
churchcrm CWE-89
6.5