Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

ChurchCRM Multiple Vulnerabilities

############################################################

[CVE-2023-24684] SQL Injection
- Description: ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the "EID" parameter in GetText.php
- Vulnerability Type: SQL Injection
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6440
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24685] SQL Injection
- Description: ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the "Event" parameter under the "Event Attendance reports" module
- Vulnerability Type: SQL Injection
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6441
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24686] Stored Cross-site Scripting (XSS)
- Description: An issue in the CSV import function of ChurchCRM v4.5.3 and below allows authenticated attackers to execute arbitrary code via importing a crafted CSV file.
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6442
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24690] Stored Cross-site Scripting (XSS)
- Description: Multiple Stored Cross-site Scripting (XSS) vulnerabilites in ChurchCRM v4.5.3 and below allow authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. This vulnerability could lead to admin account takover by stealing user's cookie
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC:
ChurchCRM/CRM#6443
ChurchCRM/CRM#6444
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM