CVE-2026-39940 ChurchCRM has an Open Redirect via the ‘linkBack’ URL Parameter in DonatedItemEditor.php

ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked 'Cancel' button on the page. For...

CVE-2026-39940

ChurchCRM prior to 7.0.0 exposes an open redirect via the linkBack URL parameter in DonatedItemEditor.php, allowing an authenticated user to be redirected to an attacker‑controlled URL when clicking Cancel. This affects versions before 7.0.0; the issue is fixed in 7.0.0. The CVSS metrics indicate...

XWiki Platform 注入漏洞

XWiki Platform is a suite of Wiki platforms for creating web collaboration applications from XWiki France. XWiki Platform suffers from an injection vulnerability, which stems from improper escaping in the Cancel and return to page buttons, that allows any user with view rights to...

SUSE CVE-2013-7273

GNOME Display Manager gdm 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service unable to login by pressing the cancel button after entering a user name...

CVE-2018-14398

An issue was discovered in Creme CRM 1.6.12. The value of the cancel button uses the content of the HTTP Referer header, and could be used to trick a user into visiting a fake login page in order to steal credentials...

CVE-2013-7273

GNOME Display Manager gdm 3.4.1 and earlier, when disable-user-list is set to true, allows local users to cause a denial of service unable to login by pressing the cancel button after entering a user name...

CVE-2013-6005

Cross-site scripting XSS vulnerability in Cybozu Dezie before 8.1.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Cancel button...

Cross site scripting

Cross-site scripting XSS vulnerability in Cybozu Dezie before 8.1.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Cancel button...

CVE-2013-6005

Cross-site scripting XSS vulnerability in Cybozu Dezie before 8.1.0 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Cancel button...

CVE-2005-4771

Trusted Mobility Agent PC Policy in Trust Digital Trusted Mobility Suite provides a cancel button that bypasses the domain-authentication prompt, which allows local users to sync a handheld PDA device despite a policy setting that sync is unauthorized...

CVE-1999-0471

The CVE-1999-0471 entry concerns Winroute’s remote proxy server, where an unauthenticated attacker can reconfigure the proxy through the "cancel" button. The PT-1999-1152 PTSecurity page confirms the issue but does not specify affected versions or a fix. Other sources reiterate that the vulnerabi...

PT-1999-1152 · Triton · Winroute

Name of the Vulnerable Software and Affected Versions: Winroute affected versions not specified Description: The issue allows a remote attacker to reconfigure the proxy server without authentication. This can be achieved through the "cancel" button. Recommendations: At the moment, there is no...