Crm
Monthly
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Stored cross-site scripting in ChurchCRM prior to version 7.1.0 allows authenticated administrators with high privileges to inject malicious scripts through configuration fields, Person editor defaults, and self-registration form defaults, which are then rendered without sanitization when accessed by other administrators or users. The vulnerability requires admin interaction to exploit (UI:R) and affects confidentiality and integrity but not availability. No public exploit code or active exploitation has been identified.
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrary family records without proper authorization checks. Attackers with any valid API credentials can modify family verification status, trigger spam emails, activate/deactivate accounts, and force geocoding operations on any family record by manipulating the familyId parameter in API requests. Affects all ChurchCRM versions prior to 7.1.0. CVSS 8.1 (High) reflects the network-accessible attack vector with low complexity and high integrity/availability impact. No evidence of active exploitation (CISA KEV negative) or public exploit code at time of analysis, but the vulnerability is trivially exploitable given the low attack complexity and published security advisory.
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. No public exploit code or confirmed active exploitation identified at time of analysis, though EPSS data unavailable. CVSS 8.9 reflects high impact but requires authenticated access and user interaction.
Stored XSS in ChurchCRM prior to 7.1.1 allows authenticated administrators to inject malicious scripts via group remove controls and family editor state/country fields. The vulnerability requires high-privilege account access and user interaction to trigger, making it an admin-to-admin attack surface rather than a direct threat to end-users. ChurchCRM 7.1.1 and later contain the fix.
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.
Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover through malicious group names. Authenticated users with group-creation privileges can inject JavaScript that executes when administrators view group listings, stealing session cookies. ChurchCRM versions prior to 6.5.3 are affected. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) and availability of technical details in the GitHub Security Advisory increase exploitation risk for authenticated internal threats.
Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound HTTP/HTTPS requests to arbitrary external hosts by injecting malicious URLs into the Referer header. Attackers with high-privilege access can exploit this to probe internal networks, exfiltrate data, or interact with cloud metadata services. CVSS 7.0 reflects medium-high severity requiring privileged access (PR:H). No public exploit identified at time of analysis, though SSRF exploitation techniques are well-documented. EPSS data not provided, but the requirement for admin credentials significantly reduces real-world attack surface compared to unauthenticated SSRF vulnerabilities.
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary SQL commands via the fund raiser statement report functionality. The vulnerability stems from inadequate input validation of session-based fundraiser identifiers in src/Reports/FundRaiserStatement.php, enabling attackers to achieve complete database compromise including data exfiltration, modification, and potential remote code execution. EPSS exploitation probability and KEV status unavailable, but public advisory exists from GitHub Security (GHSA-grq6-q49f-44xh). No public exploit identified at time of analysis, though SQL injection exploits are well-documented and exploitation complexity is low per CVSS vector (AC:L).
The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname,. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.
Reflected Cross-Site Scripting in ChurchCRM before 7.4.0 lets remote attackers inject JavaScript through unsanitized request parameter names and values reflected into JavaScript-string and HTML-attribute contexts on endpoints such as /FamilyCustomFieldsEditor.php, /PaddleNumList.php, and /admin/system/church-info. When a victim (especially an administrator) follows a crafted link, the payload executes in their session, enabling session-token theft, account takeover, and exposure of church member data. No public exploit identified at time of analysis, and the CVSS 4.0 vector (PR:N/UI:A) indicates unauthenticated triggering but requires victim interaction.
Insecure Direct Object Reference in ChurchCRM before 7.4.0 lets an authenticated non-admin user with EditSelf access read and modify other congregations' family records by supplying a different family's familyId to family-scoped endpoints. Because the backend loads the family entity by the attacker-controlled ID without ownership verification, a user who also holds the Notes permission can additionally create notes on unrelated families' records, breaking the intended self-service scope. No public exploit identified at time of analysis, though the flaw is trivially reproducible by manipulating a request parameter.
Remote code execution in ChurchCRM before 7.4.0 lets an authenticated administrator run arbitrary PHP on the server by installing a plugin ZIP that contains a webshell. Because 'php' is explicitly whitelisted in ALLOWED_EXTENSIONS and the DENIED_EXTENSIONS denylist fails to catch standard .php files, any PHP file inside the archive is extracted directly under the web root and becomes immediately executable over HTTP without the plugin ever being enabled. The /plugins/install-url route additionally allows the archive to be sourced from any attacker-controlled HTTPS URL, validated only against an attacker-supplied SHA-256 hash. No public exploit identified at time of analysis and it is not on CISA KEV.
Authorization bypass in ChurchCRM prior to version 7.4.0 exposes the full congregation member directory to any low-privileged authenticated user via the unprotected POST /CSVCreateFile.php endpoint. The endpoint streams a CSV containing complete PII for every Person and Family record in the database without performing a dedicated function-level authorization check, relying instead on a legacy coarse gate that any single non-admin permission flag satisfies. No public exploit has been identified at time of analysis, but the trivially low exploitation barrier - any valid low-privilege account - makes this a high-priority remediation for organizations managing sensitive congregation data.
ChurchCRM is an open-source church management system. Prior to 7.3.2, The fix for CVE-2026-39337 is incomplete. The pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard via unsanitized DB_PASSWORD remains fully exploitable This vulnerability is fixed in 7.3.2.
Stored cross-site scripting in ChurchCRM prior to version 7.1.0 allows authenticated administrators with high privileges to inject malicious scripts through configuration fields, Person editor defaults, and self-registration form defaults, which are then rendered without sanitization when accessed by other administrators or users. The vulnerability requires admin interaction to exploit (UI:R) and affects confidentiality and integrity but not availability. No public exploit code or active exploitation has been identified.
Insecure Direct Object Reference (IDOR) in ChurchCRM API allows authenticated low-privilege users to manipulate arbitrary family records without proper authorization checks. Attackers with any valid API credentials can modify family verification status, trigger spam emails, activate/deactivate accounts, and force geocoding operations on any family record by manipulating the familyId parameter in API requests. Affects all ChurchCRM versions prior to 7.1.0. CVSS 8.1 (High) reflects the network-accessible attack vector with low complexity and high integrity/availability impact. No evidence of active exploitation (CISA KEV negative) or public exploit code at time of analysis, but the vulnerability is trivially exploitable given the low attack complexity and published security advisory.
ChurchCRM church management system versions before 7.1.0 allow authenticated users with EditSelf permission to exfiltrate administrator session cookies through stored XSS in social media profile fields. Attackers chain JavaScript payloads across Facebook, LinkedIn, and X fields using onfocus event handlers to bypass 50-character limits, automatically executing when any user (including administrators) views the malicious profile. No public exploit code or confirmed active exploitation identified at time of analysis, though EPSS data unavailable. CVSS 8.9 reflects high impact but requires authenticated access and user interaction.
Stored XSS in ChurchCRM prior to 7.1.1 allows authenticated administrators to inject malicious scripts via group remove controls and family editor state/country fields. The vulnerability requires high-privilege account access and user interaction to trigger, making it an admin-to-admin attack surface rather than a direct threat to end-users. ChurchCRM 7.1.1 and later contain the fix.
Stored cross-site scripting in ChurchCRM versions prior to 7.0.0 allows authenticated users to inject malicious JavaScript through the Person Property Management subsystem, executing when other users view affected profiles. This vulnerability persists despite previous CVE-2023-38766 patches and enables session hijacking or account compromise through persistent payload execution. No public exploit identified at time of analysis, though CVSS score of 8.7 reflects high impact with cross-site scripting scope allowing privilege escalation beyond the attacker's session context.
Stored Cross-Site Scripting in ChurchCRM admin panel enables session hijacking and administrative account takeover through malicious group names. Authenticated users with group-creation privileges can inject JavaScript that executes when administrators view group listings, stealing session cookies. ChurchCRM versions prior to 6.5.3 are affected. No public exploit identified at time of analysis, with EPSS data unavailable, though the low attack complexity (AC:L) and availability of technical details in the GitHub Security Advisory increase exploitation risk for authenticated internal threats.
Server-Side Request Forgery in ChurchCRM versions prior to 6.5.3 allows authenticated administrators to trigger outbound HTTP/HTTPS requests to arbitrary external hosts by injecting malicious URLs into the Referer header. Attackers with high-privilege access can exploit this to probe internal networks, exfiltrate data, or interact with cloud metadata services. CVSS 7.0 reflects medium-high severity requiring privileged access (PR:H). No public exploit identified at time of analysis, though SSRF exploitation techniques are well-documented. EPSS data not provided, but the requirement for admin credentials significantly reduces real-world attack surface compared to unauthenticated SSRF vulnerabilities.
SQL injection in ChurchCRM versions prior to 7.1.0 allows authenticated users with low privileges to execute arbitrary SQL commands via the fund raiser statement report functionality. The vulnerability stems from inadequate input validation of session-based fundraiser identifiers in src/Reports/FundRaiserStatement.php, enabling attackers to achieve complete database compromise including data exfiltration, modification, and potential remote code execution. EPSS exploitation probability and KEV status unavailable, but public advisory exists from GitHub Security (GHSA-grq6-q49f-44xh). No public exploit identified at time of analysis, though SQL injection exploits are well-documented and exploitation complexity is low per CVSS vector (AC:L).
The CRM Plugin before 4.2.4 for Redmine allows XSS via crafted vCard data. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.
Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to read arbitrary files via an absolute path traversal attack on sitecore/shell/download.aspx with the file parameter. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The package manager in Sitecore CRM 8.1 Rev 151207 allows remote authenticated administrators to execute arbitrary ASP code by creating a ZIP archive in which a .asp file has a ..\ in its pathname,. Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.