Churchcrm
by Churchcrm
Source repositories
CVEs (118)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-68110 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue. | |||
| CVE-2025-67877 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly… | |||
| CVE-2025-67876 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.… | |||
| CVE-2025-67875 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent… | |||
| CVE-2025-66397 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk… | |||
| CVE-2025-66396 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly… | |||
| CVE-2025-66395 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in… | |||
| CVE-2025-67751 | 0.00 | — | 0.00 | Dec 16, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated… | |||
| CVE-2025-67874 | 0.00 | — | 0.00 | Dec 16, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify… | |||
| CVE-2025-66313 | 0.00 | — | 0.00 | Dec 1, 2025 | ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL… | |||
| CVE-2025-3954 | 0.00 | — | 0.00 | Apr 26, 2025 | A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The… | |||
| CVE-2025-1135 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly… | |||
| CVE-2025-1134 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly… | |||
| CVE-2025-1133 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query… | |||
| CVE-2025-1132 | 0.00 | — | 0.01 | Feb 19, 2025 | A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands.… | |||
| CVE-2025-1024 | 0.00 | — | 0.00 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw… | |||
| CVE-2025-1023 | 0.00 | — | 0.02 | Feb 18, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL… | |||
| CVE-2025-0981 | 0.00 | — | 0.00 | Feb 18, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field,… | |||
| CVE-2024-53438 | 0.00 | — | 0.01 | Nov 22, 2024 | EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating the 'Event' parameter, which is directly interpolated into the SQL query without proper sanitization or validation, allowing attackers to execute… | |||
| CVE-2024-39304 | 0.00 | — | 0.03 | Jul 26, 2024 | ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows… |
- CVE-2025-68110Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
- CVE-2025-67877Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly…
- CVE-2025-67876Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.…
- CVE-2025-67875Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent…
- CVE-2025-66397Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk…
- CVE-2025-66396Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly…
- CVE-2025-66395Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in…
- CVE-2025-67751Dec 16, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated…
- CVE-2025-67874Dec 16, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify…
- CVE-2025-66313Dec 1, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL…
- CVE-2025-3954Apr 26, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The…
- CVE-2025-1135Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly…
- CVE-2025-1134Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly…
- CVE-2025-1133Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query…
- CVE-2025-1132Feb 19, 2025risk 0.00cvss —epss 0.01
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands.…
- CVE-2025-1024Feb 19, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw…
- CVE-2025-1023Feb 18, 2025risk 0.00cvss —epss 0.02
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL…
- CVE-2025-0981Feb 18, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field,…
- CVE-2024-53438Nov 22, 2024risk 0.00cvss —epss 0.01
EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating the 'Event' parameter, which is directly interpolated into the SQL query without proper sanitization or validation, allowing attackers to execute…
- CVE-2024-39304Jul 26, 2024risk 0.00cvss —epss 0.03
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows…
Page 4 of 6