10splayaSec

9 exploits Active since Apr 2023
CVE-2023-25346 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Reflected Cross-Site Scripting via Family ID Parameter
A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of /churchcrm/v2/family/not-found.
CVSS 6.1
CVE-2023-25347 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Stored Cross-Site Scripting in Event Title Input Field
A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php.
CVSS 5.4
CVE-2023-25348 WRITEUP HIGH WRITEUP
ChurchCRM 4.5.3 - CSV Injection via Last Name and First Name Input Fields
ChurchCRM 4.5.3 was discovered to contain a CSV injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code via a crafted excel file.
CVSS 7.8
CVE-2023-26839 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Cross-Site Request Forgery
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to edit information for existing people on the site.
CVSS 4.3
CVE-2023-26840 WRITEUP MEDIUM WORKING POC
ChurchCRM 4.5.3 - Cross-Site Request Forgery
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to set a person to a user and set that user to be an Administrator.
CVSS 5.3
CVE-2023-26841 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Cross-Site Request Forgery
A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in.
CVSS 6.5
CVE-2023-26842 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Stored Cross-Site Scripting via OptionManager.php
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php.
CVSS 5.4
CVE-2023-26843 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Stored Cross-Site Scripting via NoteEditor.php
A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php.
CVSS 5.4
CVE-2023-31548 WRITEUP MEDIUM WRITEUP
ChurchCRM 4.5.3 - Stored Cross-Site Scripting in FundRaiserEditor.php
A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload.
CVSS 5.4