9 matches found
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39330 ChurchCRM has a Blind SQL injection in PropertyAssign.php
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-39330
ChurchCRM (pre-7.1.0) contains a SQL injection in /PropertyAssign.php exploitable by authenticated users with roles Manage Groups & Roles and Edit Records via the Value parameter. The vulnerability can allow arbitrary SQL execution to read/modify database data. It is fixed in 7.1.0; upgrade to 7....
CVE-2026-39330
ChurchCRM is an open-source church management system. Prior to 7.1.0, an SQL injection vulnerability was found in the endpoint /PropertyAssign.php in ChurchCRM. Authenticated users with the role Manage Groups & Roles ManageGroups and Edit Records isEditRecordsEnabled can inject arbitrary SQL...
CVE-2026-35534
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-35534 ChurchCRM has Stored XSS in PersonView.php via Facebook Field Attribute Injection
ChurchCRM is an open-source church management system. Prior to 7.1.0, a stored cross-site scripting vulnerability exists in PersonView.php due to incorrect use of sanitizeText as an output sanitizer for HTML attribute context. The function only strips HTML tags, it does not escape quote character...
CVE-2026-34402
...
CVE-2026-34402
ChurchCRM (open-source church management software) contains a time-based blind SQL injection vulnerability in PropertyAssign.php that affects versions before 7.1.0. With Edit Records or Manage Groups permissions, authenticated users can exfiltrate or modify any database content, including user cr...