Churchcrm
Monthly
Reflected Cross-Site Scripting (XSS) in ChurchCRM login page allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious URLs containing unsanitized username parameters. ChurchCRM versions prior to 7.1.0 fail to encode the username parameter, enabling attackers to craft URLs that inject malicious scripts capable of stealing session cookies or displaying phishing forms. With CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) and no public exploit identified at time of analysis, this represents a moderate-priority risk requiring user interaction but no authentication for exploitation.
Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. The CVSS v4.0 score of 8.6 reflects network accessibility (AV:N), low complexity (AC:L), no authentication required (PR:N), and high confidentiality/integrity impact (VC:H/VI:H). No public exploit identified at time of analysis, though EPSS data is unavailable for risk quantification.
Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.
Stored cross-site scripting in ChurchCRM versions before 6.8.2 allows authenticated users with group editing permissions to inject malicious JavaScript that executes when other users view affected groups. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires user interaction and can result in session hijacking or unauthorized actions performed on behalf of affected users.
ChurchCRM versions before 6.7.2 contain a stored XSS vulnerability in the event creation feature that allows low-privileged users to inject malicious scripts into event descriptions. These payloads persist in the database and execute when administrators or other users view the affected events, potentially enabling account takeover. Public exploit code exists for this vulnerability, though a patch is available in version 6.7.2.
Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.
Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.
Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.
A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
Reflected Cross-Site Scripting (XSS) in ChurchCRM login page allows remote attackers to execute arbitrary JavaScript in victims' browsers through malicious URLs containing unsanitized username parameters. ChurchCRM versions prior to 7.1.0 fail to encode the username parameter, enabling attackers to craft URLs that inject malicious scripts capable of stealing session cookies or displaying phishing forms. With CVSS 8.1 (AV:N/AC:L/PR:N/UI:R) and no public exploit identified at time of analysis, this represents a moderate-priority risk requiring user interaction but no authentication for exploitation.
Reflected cross-site scripting (XSS) in ChurchCRM's dashboard search parameter allows unauthenticated remote attackers to execute arbitrary JavaScript in victims' browsers. Versions prior to 7.1.0 fail to sanitize user input, enabling payload execution even when server-side validation triggers HTTP 500 errors. The CVSS v4.0 score of 8.6 reflects network accessibility (AV:N), low complexity (AC:L), no authentication required (PR:N), and high confidentiality/integrity impact (VC:H/VI:H). No public exploit identified at time of analysis, though EPSS data is unavailable for risk quantification.
Stored XSS in ChurchCRM Note Editor enables authenticated users to execute arbitrary JavaScript in victims' browsers, leading to session hijacking and privilege escalation against administrators managing sensitive church member data. Affects ChurchCRM versions prior to 6.5.3. CVSS 7.3 (High) reflects network-accessible attack requiring low-privilege authentication and user interaction. EPSS and KEV data not provided; no public exploit identified at time of analysis. Vendor patch released in version 6.5.3.
Stored cross-site scripting in ChurchCRM versions before 6.8.2 allows authenticated users with group editing permissions to inject malicious JavaScript that executes when other users view affected groups. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires user interaction and can result in session hijacking or unauthorized actions performed on behalf of affected users.
ChurchCRM versions before 6.7.2 contain a stored XSS vulnerability in the event creation feature that allows low-privileged users to inject malicious scripts into event descriptions. These payloads persist in the database and execute when administrators or other users view the affected events, potentially enabling account takeover. Public exploit code exists for this vulnerability, though a patch is available in version 6.7.2.
Authenticated SQL injection in ChurchCRM's PaddleNumEditor.php endpoint prior to version 6.7.2 allows any logged-in user to execute arbitrary database queries regardless of their assigned permissions. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete sensitive church data. Update to version 6.7.2 or later to remediate.
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.
Path traversal in ChurchCRM's Backup Restore Handler allows high-privileged remote attackers to manipulate the restoreFile argument and access arbitrary files on the system. The vulnerability affects ChurchCRM up to version 5.18.0, requires administrative privileges (PR:H), and has publicly available exploit code. While CVSS score is low (2.0) due to privilege requirements, the limited scope impact and vendor non-response elevate practical risk for deployments with exposed admin interfaces.
Unsafe deserialization in ChurchCRM setup/routes/setup.php allows remote attackers to manipulate DB_PASSWORD, ROOT_PATH, or URL parameters, leading to arbitrary code execution with limited impact. The vulnerability affects versions up to 5.18.0 and has publicly available exploit code, though EPSS exploitation probability remains low at 0.10% percentile, suggesting real-world exploitation is constrained by high attack complexity and difficult exploitability factors.
A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue.
A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Rated medium severity (CVSS 6.3), this vulnerability is remotely exploitable, no authentication required. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes. Rated critical severity (CVSS 9.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. Rated high severity (CVSS 8.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.