Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-36136: ChurchCRM Version 4.4.5 — Stored XSS Vulnerability at Deposit Commend

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

CVE
Open in Source
#xss#vulnerability#google#git#php#chrome

Vulnerability Explanation:

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

Affected Component:

http://ip_address:port/churchcrm/FindDepositSlip.php

Payload :

<img src="test" onerror=confirm(“Grim-The-Ripper-Team-by-SOSECURE-Thailand”)>

Tested on:

  1. ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
  2. Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

Steps to attack:

  1. Login with admin credential.

2. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.

3. After press the “Add New Deposit” button The XSS payload will run immediately.

Discoverer:

Grim The Ripper Team by SOSECURE Thailand

Reference:

https://churchcrm.io
https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE