Headline
CVE-2023-38773: GitHub - 0x72303074/CVE-Disclosures
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the volopp1 and volopp2 parameters within the /QueryView.php.
CVE-Disclosures
Welcome to the CVE disclosures section of this repository! Here, you’ll find a list of security vulnerabilities that I have discovered while working on Free Open Source Software (FOSS) applications.
CVEs I Have Discovered
Findings
Description
CVE-2023-38758
A stored cross-site scripting (XSS) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to inject arbitrary web script or HTML via the license_author parameter of the /en/nutrition/ingredient/add/ endpoint.
CVE-2023-38759
A cross-site request forgery (CSRF) vulnerability in wger Workout Manager v2.2.0a3 allows remote attackers to gain privileges via email change and password reset functionality at /en/user/preferences, /en/gym/user/1/reset-user-password, and /en/user/password/reset/. These attack vectors can allow any account to be compromised, with resulting data exfiltrated back to the attacker’s server.
CVE-2023-38760
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the role and gender parameters within the /QueryView.php?QueryID=7 endpoint (Person by Role and Gender query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38761
A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the systemSettings.php endpoint. This payload is placed within the site header and is triggered whenever anyone authenticated views any page. This vulnerability can be used to execute arbitrary JavaScript code within the victim’s session, perform information disclosure, or potentially perform other CSRF attacks.
CVE-2023-38762
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the friendmonths parameter within the /QueryView.php?QueryID=26 endpoint (Recent Friends query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38763
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows an authenticated remote attacker to obtain sensitive database information via the FundRaiserID parameter within the /FundRaiserEditor.php endpoint. This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38764
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the birthmonth and percls parameters within the /QueryView.php?QueryID=18 endpoint (Birthdays query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38765
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the membermonth parameter within the /QueryView.php?QueryID=22 endpoint (Membership Anniversaries query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38766
A cross site scripting (XSS) vulnerability in ChurchCRM v5.0.0 allows remote attackers to inject arbitrary web script or HTML via a crafted payload to the PersonView.php endpoint. An authenticated attacker can perform stored XSS by editing their user profile. This payload is triggered whenever anyone views this user’s profile. This vulnerability can be used to execute arbitrary JavaScript code within the victim’s session, perform information disclosure, or potentially perform other CSRF attacks.
CVE-2023-38767
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the value and custom parameters within the /QueryView.php?QueryID=200 endpoint (CustomSearch query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38768
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the PropertyID parameter within the /QueryView.php?QueryID=9 endpoint (Person by Property query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38769
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the searchstring and searchwhat parameters within the /QueryView.php?QueryID=15 endpoint (Advanced Search query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38770
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the group parameter within the /QueryView.php?QueryID=21 endpoint (Registered Students query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38771
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp parameter within the /QueryView.php?QueryID=25 endpoint (Volunteers - ‘for a particular opportunity’ query). This can be used for information disclosure of anything in the database, including user credentials.
CVE-2023-38773
A SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive database information via the volopp1 and volopp2 parameters within the /QueryView.php?QueryID=100 endpoint (Volunteers - ‘who match two specific codes’ query). This can be used for information disclosure of anything in the database, including user credentials.
I will update this list as soon as new vulnerabilities are found and available for public disclosure.