Churchcrm: >> Churchcrm >> 4.4.5 Security Vulnerabilities
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file.
CVSS Score
4.8
EPSS Score
0.001
Published
2023-02-09
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-09
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-29
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
CVSS Score
4.8
EPSS Score
0.001
Published
2022-11-29
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
CVSS Score
7.2
EPSS Score
0.004
Published
2022-06-08
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.
CVSS Score
8.8
EPSS Score
0.003
Published
2022-05-15
Page 2