Vendor CVEs
Churchcrm
All CVEs
123 total · sorted by risk| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2023-31548 | 0.02 | — | 0.01 | May 31, 2023 | A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. | |||
| CVE-2024-25897 | 0.01 | — | 0.02 | Feb 21, 2024 | ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. | |||
| CVE-2023-26842 | 0.01 | — | 0.01 | May 31, 2023 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php. | |||
| CVE-2023-26843 | 0.01 | — | 0.01 | Apr 25, 2023 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. | |||
| CVE-2023-25346 | 0.01 | — | 0.02 | Apr 25, 2023 | A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found. | |||
| CVE-2026-32880 | 0.00 | — | 0.00 | Mar 20, 2026 | ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in… | |||
| CVE-2026-26059 | 0.00 | — | 0.00 | Feb 19, 2026 | ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue. | |||
| CVE-2026-24855 | 0.00 | — | 0.00 | Jan 30, 2026 | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in… | |||
| CVE-2026-24854 | 0.00 | — | 0.00 | Jan 30, 2026 | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`… | |||
| CVE-2025-68275 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue. | |||
| CVE-2025-68401 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).… | |||
| CVE-2025-68400 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly… | |||
| CVE-2025-68399 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.… | |||
| CVE-2025-68112 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential… | |||
| CVE-2025-68111 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the… | |||
| CVE-2025-68110 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue. | |||
| CVE-2025-67877 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly… | |||
| CVE-2025-67876 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.… | |||
| CVE-2025-67875 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent… | |||
| CVE-2025-66397 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk… | |||
| CVE-2025-66396 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly… | |||
| CVE-2025-66395 | 0.00 | — | 0.00 | Dec 17, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in… | |||
| CVE-2025-67751 | 0.00 | — | 0.00 | Dec 16, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated… | |||
| CVE-2025-67874 | 0.00 | — | 0.00 | Dec 16, 2025 | ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify… | |||
| CVE-2025-66313 | 0.00 | — | 0.00 | Dec 1, 2025 | ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL… | |||
| CVE-2025-3954 | 0.00 | — | 0.00 | Apr 26, 2025 | A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The… | |||
| CVE-2025-1135 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly… | |||
| CVE-2025-1134 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly… | |||
| CVE-2025-1133 | 0.00 | — | 0.01 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query… | |||
| CVE-2025-1132 | 0.00 | — | 0.01 | Feb 19, 2025 | A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands.… | |||
| CVE-2025-1024 | 0.00 | — | 0.00 | Feb 19, 2025 | A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw… | |||
| CVE-2025-1023 | 0.00 | — | 0.02 | Feb 18, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL… | |||
| CVE-2025-0981 | 0.00 | — | 0.00 | Feb 18, 2025 | A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field,… | |||
| CVE-2024-53438 | 0.00 | — | 0.01 | Nov 22, 2024 | EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating the 'Event' parameter, which is directly interpolated into the SQL query without proper sanitization or validation, allowing attackers to execute… | |||
| CVE-2024-39304 | 0.00 | — | 0.03 | Jul 26, 2024 | ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows… | |||
| CVE-2024-25896 | 0.00 | — | 0.00 | Feb 21, 2024 | ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter. | |||
| CVE-2024-25892 | 0.00 | — | 0.01 | Feb 21, 2024 | ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter. | |||
| CVE-2024-25895 | 0.00 | — | 0.00 | Feb 21, 2024 | A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php | |||
| CVE-2024-25898 | 0.00 | — | 0.00 | Feb 21, 2024 | A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php. | |||
| CVE-2024-25893 | 0.00 | — | 0.00 | Feb 21, 2024 | ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. | |||
| CVE-2024-25891 | 0.00 | — | 0.01 | Feb 21, 2024 | ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter. | |||
| CVE-2024-25894 | 0.00 | — | 0.01 | Feb 21, 2024 | ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter. | |||
| CVE-2020-28848 | 0.00 | — | 0.01 | Aug 11, 2023 | CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file. | |||
| CVE-2020-28849 | 0.00 | — | 0.00 | Aug 11, 2023 | Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module. | |||
| CVE-2023-38769 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php. | |||
| CVE-2023-38768 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID parameter within the /QueryView.php. | |||
| CVE-2023-38762 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths parameter within the /QueryView.php. | |||
| CVE-2023-38770 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter within the /QueryView.php. | |||
| CVE-2023-38764 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and percls parameters within the /QueryView.php. | |||
| CVE-2023-38765 | 0.00 | — | 0.01 | Aug 8, 2023 | SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php. |
- CVE-2023-31548May 31, 2023risk 0.02cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
- CVE-2024-25897Feb 21, 2024risk 0.01cvss —epss 0.02
ChurchCRM 5.5.0 FRCatalog.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
- CVE-2023-26842May 31, 2023risk 0.01cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.
- CVE-2023-26843Apr 25, 2023risk 0.01cvss —epss 0.01
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
- CVE-2023-25346Apr 25, 2023risk 0.01cvss —epss 0.02
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
- CVE-2026-32880Mar 20, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type system settings to store a JavaScript payload that can execute when any admin views the system settings. The JSON input is left unescaped/unsanitized in…
- CVE-2026-26059Feb 19, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated user with permission to edit groups to store a JavaScript payload that would execute when the group was viewed in the Group View. Version 6.8.2 fixes this issue.
- CVE-2026-24855Jan 30, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in…
- CVE-2026-24854Jan 30, 2026risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID`…
- CVE-2025-68275Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a stored cross-site scripting vulnerability on the pages `View Active People`, `View Inactive people`, and `View All People`. Version 6.5.3 fixes the issue.
- CVE-2025-68401Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.0.0, the application stores user-supplied HTML/JS without sufficient sanitization/encoding. When other users later view this content, attacker-controlled JavaScript executes in their browser (stored XSS).…
- CVE-2025-68400Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly…
- CVE-2025-68399Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting (XSS) vulnerability within the GroupEditor.php page of the application. When a user attempts to create a group role, they can execute malicious JavaScript.…
- CVE-2025-68112Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential…
- CVE-2025-68111Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the `eGive.php` file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the…
- CVE-2025-68110Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
- CVE-2025-67877Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the `src/CartToFamily.php` file, specifically in how the `PersonAddress` POST parameter is handled. Unlike other parameters in the same file which are correctly…
- CVE-2025-67876Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A stored cross-site scripting (XSS) vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names.…
- CVE-2025-67875Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent…
- CVE-2025-66397Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk…
- CVE-2025-66396Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly…
- CVE-2025-66395Dec 17, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in…
- CVE-2025-67751Dec 16, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated…
- CVE-2025-67874Dec 16, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify…
- CVE-2025-66313Dec 1, 2025risk 0.00cvss —epss 0.00
ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL…
- CVE-2025-3954Apr 26, 2025risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, has been found in ChurchCRM 5.16.0. Affected by this issue is some unknown functionality of the component Referer Handler. The manipulation leads to server-side request forgery. The attack may be launched remotely. The…
- CVE-2025-1135Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly…
- CVE-2025-1134Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly…
- CVE-2025-1133Feb 19, 2025risk 0.00cvss —epss 0.01
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query…
- CVE-2025-1132Feb 19, 2025risk 0.00cvss —epss 0.01
A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands.…
- CVE-2025-1024Feb 19, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in ChurchCRM 5.13.0 that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the EID parameter. The flaw…
- CVE-2025-1023Feb 18, 2025risk 0.00cvss —epss 0.02
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL…
- CVE-2025-0981Feb 18, 2025risk 0.00cvss —epss 0.00
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to hijack a user's session by exploiting a Stored Cross Site Scripting (XSS) vulnerability in the Group Editor page. This allows admin users to inject malicious JavaScript in the description field,…
- CVE-2024-53438Nov 22, 2024risk 0.00cvss —epss 0.01
EventAttendance.php in ChurchCRM 5.7.0 is vulnerable to SQL injection. An attacker can exploit this vulnerability by manipulating the 'Event' parameter, which is directly interpolated into the SQL query without proper sanitization or validation, allowing attackers to execute…
- CVE-2024-39304Jul 26, 2024risk 0.00cvss —epss 0.03
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows…
- CVE-2024-25896Feb 21, 2024risk 0.00cvss —epss 0.00
ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter.
- CVE-2024-25892Feb 21, 2024risk 0.00cvss —epss 0.01
ChurchCRM 5.5.0 ConfirmReport.php is vulnerable to Blind SQL Injection (Time-based) via the familyId GET parameter.
- CVE-2024-25895Feb 21, 2024risk 0.00cvss —epss 0.00
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 5.5.0 allows remote attackers to inject arbitrary web script or HTML via the type parameter of /EventAttendance.php
- CVE-2024-25898Feb 21, 2024risk 0.00cvss —epss 0.00
A XSS vulnerability was found in the ChurchCRM v.5.5.0 functionality, edit your event, where malicious JS or HTML code can be inserted in the Event Sermon field in EventEditor.php.
- CVE-2024-25893Feb 21, 2024risk 0.00cvss —epss 0.00
ChurchCRM 5.5.0 FRCertificates.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
- CVE-2024-25891Feb 21, 2024risk 0.00cvss —epss 0.01
ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.
- CVE-2024-25894Feb 21, 2024risk 0.00cvss —epss 0.01
ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter.
- CVE-2020-28848Aug 11, 2023risk 0.00cvss —epss 0.01
CSV Injection vulnerability in ChurchCRM version 4.2.0, allows remote attackers to execute arbitrary code via crafted CSV file.
- CVE-2020-28849Aug 11, 2023risk 0.00cvss —epss 0.00
Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module.
- CVE-2023-38769Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php.
- CVE-2023-38768Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID parameter within the /QueryView.php.
- CVE-2023-38762Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths parameter within the /QueryView.php.
- CVE-2023-38770Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter within the /QueryView.php.
- CVE-2023-38764Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and percls parameters within the /QueryView.php.
- CVE-2023-38765Aug 8, 2023risk 0.00cvss —epss 0.01
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php.
Page 2 of 3