📄 ChurchCRM 6.4.0 Cross Site Scripting

ChurchCRM versions 6.4.0 and below suffer from persistent cross site scripting vulnerability in group role name assignment. CVE-2025-67876: ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking Overview | Field | Details | |---|---| | CVE ID | CVE-2025-67876 | | Severity ...

Exploit for Cross-site Scripting in Churchcrm

CVE-2025-67875: ChurchCRM has stored XSS via Person Property A...

Exploit for CVE-2025-14855

CVE-2025-14855: SureForms WordPress Plugin Stored XSS Proof of...

CVE-2025-67876 ChurchCRM has Stored XSS in Group Role Name Leading to Admin Session Hijacking

ChurchCRM is an open-source church management system. A stored cross-site scripting XSS vulnerability exists in ChurchCRM versions 6.4.0 and prior that allows a low-privilege user with the “Manage Groups” permission to inject persistent JavaScript into group role names. The payload is saved in th...

EUVD-2018-2326

Malware in sbrugna...

CVE-2025-50754

Unisite CMS version 5.0 contains a stored Cross-Site Scripting XSS vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewed by an administrator. This allows attackers to hijack the admin session and, by leveraging the...

PT-2025-31863 · Unknown · Unisite Cms

Name of the Vulnerable Software and Affected Versions: Unisite CMS version 5.0 Description: Unisite CMS version 5.0 contains a stored Cross-Site Scripting XSS vulnerability in the "Report" functionality. A malicious script submitted by an attacker is rendered in the admin panel when viewed by an...

CVE-2024-22220

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview...

CVE-2024-22220

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview...

Cross site scripting

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview...

CVE-2024-22220

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview...

CVE-2024-22220

An issue was discovered in Terminalfour 7.4 through 7.4.0004 QP3 and 8 through 8.3.19, and Formbank through 2.1.10-FINAL. Unauthenticated Stored Cross-Site Scripting can occur, with resultant Admin Session Hijacking. The attack vectors are Form Builder and Form Preview...

PT-2024-19285 · Terminalfour · Terminalfour +1

Name of the Vulnerable Software and Affected Versions: Terminalfour versions 7.4 through 7.4.0004 QP3 Terminalfour versions 8 through 8.3.19 Formbank versions through 2.1.10-FINAL Description: An issue allows Unauthenticated Stored Cross-Site Scripting, potentially leading to Admin Session...

CVE-2024-22220

CVE-2024-22220 affects Terminalfour and Formbank: unauthenticated stored cross-site scripting can lead to admin session hijacking via the Form Builder and Form Preview. Affected: Terminalfour 7.4–7.4.0004 QP3, Terminalfour 8–8.3.19, and Formbank up to 2.1.10-FINAL. Root cause is XSS in form-relat...

Stored Cross-Site Scripting vulnerability in Recipe Instructions allows Admin session hijacking

Description A low privilege user can insert malicious JavaScript code into the Recipe Instructions which will execute in another person's browser that visits the recipe. Proof of Concept Reproduction Steps: 1. As a lower privileged user login to the Mealie web application. 2. Create a recipe and...

Cross site scripting

The web application of Kyocera printer ECOSYS M2640IDW is affected by Stored XSS vulnerability, discovered in the addition a new contact in "Machine Address Book". Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the...

Cross-Site Scripting (XSS)

francoisjacquet/rosariosis is vulnerable to cross-site scripting XSS. A remote attacker is able to inject and execute arbitrary Javascript in a user's browser via the URL encode key in PreparePHPSELF.php, leading to an admin session hijacking or executing arbitrary requests using the admin's...

CVE-2019-13167

Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions...

CVE-2019-13167

Multiple Stored XSS vulnerabilities were found in the Xerox Web Application, used by the Phaser 3320 V53.006.16.000 and other printers. Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions...

CVE-2018-18380

A Session Fixation issue was discovered in Bigtree before 4.2.24. admin.php accepts a user-provided PHP session ID instead of regenerating a new one after a user has logged in to the application. The Session Fixation could allow an attacker to hijack an admin session...