Vulnerabilities (CVE)

Join the Common Vulnerabilities and Exposures (CVE) community and start to get notified about new vulnerabilities.

Filtered by vendor Churchcrm Subscribe
Total 9 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2023-27059 1 Churchcrm 1 Churchcrm 2023-03-22 N/A 5.4 MEDIUM
A cross-site scripting (XSS) vulnerability in the Edit Group function of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the Edit Group Name text field.
CVE-2023-24684 1 Churchcrm 1 Churchcrm 2023-02-16 N/A 7.2 HIGH
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php.
CVE-2023-24686 1 Churchcrm 1 Churchcrm 2023-02-16 N/A 4.8 MEDIUM
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file.
CVE-2023-24685 1 Churchcrm 1 Churchcrm 2023-02-16 N/A 7.2 HIGH
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module.
CVE-2023-24690 1 Churchcrm 1 Churchcrm 2023-02-16 N/A 5.4 MEDIUM
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
CVE-2022-36137 1 Churchcrm 1 Churchcrm 2022-11-29 N/A 4.8 MEDIUM
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input sHeader.
CVE-2022-36136 1 Churchcrm 1 Churchcrm 2022-11-29 N/A 4.8 MEDIUM
ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.
CVE-2022-31325 1 Churchcrm 1 Churchcrm 2022-11-29 6.5 MEDIUM 7.2 HIGH
There is a SQL Injection vulnerability in ChurchCRM 4.4.5 via the 'PersonID' field in /churchcrm/WhyCameEditor.php.
CVE-2021-41965 1 Churchcrm 1 Churchcrm 2022-05-23 6.5 MEDIUM 8.8 HIGH
A SQL injection vulnerability exists in ChurchCRM version 2.0.0 to 4.4.5 that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN_tyid, theID and EID fields used when an Edit action on an existing record is being performed.