Skip to content

Latest commit

 

History

History
51 lines (51 loc) · 2.66 KB

README.md

File metadata and controls

51 lines (51 loc) · 2.66 KB
Raw

ChurchCRM Multiple Vulnerabilities

############################################################

[CVE-2023-24684] SQL Injection
- Description: ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the "EID" parameter in GetText.php
- Vulnerability Type: SQL Injection
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6440
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24685] SQL Injection
- Description: ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the "Event" parameter under the "Event Attendance reports" module
- Vulnerability Type: SQL Injection
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6441
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24686] Stored Cross-site Scripting (XSS)
- Description: An issue in the CSV import function of ChurchCRM v4.5.3 and below allows authenticated attackers to execute arbitrary code via importing a crafted CSV file.
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC: ChurchCRM/CRM#6442
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM

############################################################

[CVE-2023-24690] Stored Cross-site Scripting (XSS)
- Description: Multiple Stored Cross-site Scripting (XSS) vulnerabilites in ChurchCRM v4.5.3 and below allow authenticated attackers to execute arbitrary web scripts or HTML via a crafted payload. This vulnerability could lead to admin account takover by stealing user's cookie
- Vulnerability Type: Cross-site Scripting (XSS)
- Vendor of Product: ChurchCRM
- Affected Product Code Base: ChurchCRM - 4.5.3
- Attack Type: Remote
- Author: Blakduk
- PoC:
ChurchCRM/CRM#6443
ChurchCRM/CRM#6444
- Reference:
https://churchcrm.io/
https://github.com/ChurchCRM/CRM