9 matches found
CVE-2026-35567
...
EUVD-2026-19722
ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with...
CVE-2026-35567
ChurchCRM Before version 7.1.0, the POST parameter NewRole in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing an authenticated user with the ManageGroups role to inject arbitrary SQL. Requires knowledge of a valid GroupID and PersonID (obtainable from ...
PT-2026-30889
ChurchCRM is an open-source church management system. Prior to 7.1.0, the NewRole POST parameter in src/MemberRoleChange.php is used in an SQL query without proper integer validation, allowing authenticated users to inject arbitrary SQL. The attack requires an authenticated session with...
CVE-2025-40709 Cross-Site Scripting (XSS) vulnerability in OpenAtlas by ACDH-CH
Cross-Site Scripting XSS vulnerability in OpenAtlas v8.9.0 from the Austrian Centre for Digital Humanities and Cultural Heritage ACDH-CH, due to inadequate validation of user input when a POST request is sent. The vulnerabilities could allow a remote user to send specially crafted queries to an...
KASO 安全漏洞
KASO is an application from KASO Inc. A security vulnerability exists in KASO v9.0, which stems from the discovery of an SQL injection vulnerability via the personid parameter in /cardcase/editcard.jsp...
PT-2024-34402 · Kaso · Kaso
Name of the Vulnerable Software and Affected Versions: KASO version 9.0 Description: A SQL injection issue was discovered via the person id parameter at the "/cardcase/editcard.jsp" API endpoint. This allows for potential exploitation of the database. Recommendations: For KASO version 9.0, consid...
PT-2024-21212 · Amss++ · Amss++
Name of the Vulnerable Software and Affected Versions: AMSS++ version 4.31 Description: The issue allows SQL injection through the /amssplus/modules/person/pic show.php endpoint, in the person id parameter. This could enable a remote attacker to send a specially crafted SQL query to the server an...
PT-2022-20688 · Churchcrm · Churchcrm
Name of the Vulnerable Software and Affected Versions: ChurchCRM version 4.4.5 Description: There is a SQL Injection issue via the PersonID field in the "/churchcrm/WhyCameEditor.php" API endpoint. Recommendations: For ChurchCRM version 4.4.5, as a temporary workaround, consider restricting acces...