82199 matches found
CVE-2025-68111
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability exists in the eGive.php file within the "ReImport" functionality. An authenticated user with finance privileges can execute arbitrary SQL queries by manipulating the MissingEgiveFamID...
CVE-2025-68112
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...
CVE-2025-68110
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...
CVE-2025-68112
ChurchCRM (open-source church management system) has a SQL injection vulnerability in the Event Attendee Editor (and Event Participant Editor) affecting versions prior to 6.5.3. The issue allows authenticated users to submit arbitrary SQL, enabling complete database compromise, extraction of sens...
CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...
CVE-2025-68112 ChurchCRM has SQL injection in EditEventAttendees.php
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...
EUVD-2025-203987
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potentia...
CVE-2025-68110
ChurchCRM has an information-disclosure vulnerability: versions prior to 6.5.3 may reveal database credentials (host, IP, username, password) in an error message. The issue is fixed in version 6.5.3. No exploit details are provided in the connected documents; impact is information disclosure. Aff...
EUVD-2025-203989
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...
CVE-2025-68110 ChurchCRM discloses database information on error message
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...
CVE-2025-68110 ChurchCRM discloses database information on error message
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...
CVE-2025-68110 ChurchCRM discloses database information on error message
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109 ChurchCRM vulnerable to RCE with database restore functionality
ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct...
CVE-2025-68109
ChurchCRM (open-source CRM) is affected in versions prior to 6.5.3. The vulnerability arises in the Database Restore feature, which does not validate the content or file extension of uploaded files, enabling an attacker to upload a web shell and then an .htaccess file to gain direct access. This ...
EUVD-2025-203991
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using t...
CVE-2025-67877 ChurchCRM SQL Injection Vulnerability
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using t...
CVE-2025-66395
ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the src/ListEvents.php file. When filtering events by type, the WhichType POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This...