Rowan Crowley

16 exploits Active since Aug 2023
CVE-2023-38758 WRITEUP MEDIUM WRITEUP
wger Project wger Workout Manager <2.2.0a3 - XSS
Cross Site Scripting vulnerability in wger Project wger Workout Manager v.2.2.0a3 allows a remote attacker to gain privileges via the license_author field in the add-ingredient function in the templates/ingredients/view.html, models/ingredients.py, and views/ingredients.py components.
CVSS 5.4
CVE-2023-38759 WRITEUP HIGH WRITEUP
wger Project wger Workout Manager 2.2.0a3 - CSRF
Cross Site Request Forgery (CSRF) vulnerability in wger Project wger Workout Manager 2.2.0a3 allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset_user_password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py components.
CVSS 8.8
CVE-2023-38760 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php Role and Gender Parameters
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the role and gender parameters within the /QueryView.php component.
CVSS 7.5
CVE-2023-38761 WRITEUP MEDIUM WRITEUP
ChurchCRM 5.0.0 - Cross-Site Scripting in systemSettings.php
Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute arbitrary code via a crafted payload to the systemSettings.php component.
CVSS 6.1
CVE-2023-38762 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php friendmonths Parameter
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the friendmonths parameter within the /QueryView.php.
CVSS 7.5
CVE-2023-38763 WRITEUP MEDIUM WRITEUP
ChurchCRM 5.0.0 - SQL Injection via FundRaiserID Parameter
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the FundRaiserID parameter within the /FundRaiserEditor.php endpoint.
CVSS 6.5
CVE-2023-38764 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php birthmonth and percls Parameters
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the birthmonth and percls parameters within the /QueryView.php.
CVSS 7.5
CVE-2023-38765 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php membermonth Parameter
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php.
CVSS 7.5
CVE-2023-38766 WRITEUP MEDIUM WRITEUP
ChurchCRM 5.0.0 - Cross-Site Scripting via PersonView.php
Cross Site Scripting (XSS) vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to execute arbitrary code via a crafted payload to the PersonView.php component.
CVSS 5.4
CVE-2023-38767 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php Parameters
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the 'value' and 'custom' parameters within the /QueryView.php.
CVSS 7.5
CVE-2023-38768 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via PropertyID Parameter in QueryView.php
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID parameter within the /QueryView.php.
CVSS 7.5
CVE-2023-38769 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php searchstring and searchwhat Parameters
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php.
CVSS 7.5
CVE-2023-38770 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via QueryView.php Group Parameter
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the group parameter within the /QueryView.php.
CVSS 7.5
CVE-2023-38771 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via volopp Parameter in QueryView.php
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp parameter within the /QueryView.php.
CVSS 7.5
CVE-2023-38773 WRITEUP HIGH WRITEUP
ChurchCRM 5.0.0 - SQL Injection via volopp1 and volopp2 Parameters
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.
CVSS 7.5
CVE-2025-51691 WRITEUP MEDIUM WRITEUP
MarkTwo <e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 - XSS
Cross-Site Scripting (XSS) vulnerability found in MarkTwo commit e3a1d3f90cce4ea9c26efcbbf3a1cbfb9dcdb298 (May 2025) allows a remote attacker to execute arbitrary code via a crafted script input to the editor interface. The application does not properly sanitize user-supplied Markdown before rendering it. Successful exploitation could lead to session hijacking, credential theft, or arbitrary client-side code execution in the context of the victim's browser.
CVSS 6.1