0X72303074

**Name of the Vulnerable Software and Affected Versions** wger Workout Manager version 2.2.0a3 **Description** A Cross Site Scripting issue allows a remote attacker to gain privileges via the `license author` field in the add-ingredient function in the `templates/ingredients/view.html`, `models/ingredients.py`, and `views/ingredients.py` components. **Recommendations** For version 2.2.0a3, as a temporary workaround, consider disabling the `add-ingredient` function until a patch is available. Restrict access to the `license author` field in the affected components to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.

**Name of the Vulnerable Software and Affected Versions** wger Project wger Workout Manager version 2.2.0a3 **Description** A Cross Site Request Forgery (CSRF) issue allows a remote attacker to gain privileges via the user-management feature in the gym/views/gym.py, templates/gym/reset user password.html, templates/user/overview.html, core/views/user.py, and templates/user/preferences.html, core/forms.py components. This can be exploited through the `user-management` feature. **Recommendations** As a temporary workaround, consider disabling the `user-management` feature until a patch is available. Restrict access to the vulnerable components, such as `gym/views/gym.py`, `templates/gym/reset user password.html`, `templates/user/overview.html`, `core/views/user.py`, and `templates/user/preferences.html`, `core/forms.py`, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `role` and `gender` parameters within the "/QueryView.php" component. **Recommendations** For ChurchCRM version 5.0.0, consider disabling the "/QueryView.php" component or restricting access to it until a patch is available. Avoid using the `role` and `gender` parameters in the affected component to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A Cross Site Scripting (XSS) issue allows a remote attacker to execute arbitrary code via a crafted payload to the "systemSettings.php" component. This enables the attacker to perform unauthorized actions on the system. **Recommendations** For ChurchCRM version 5.0.0, consider disabling access to the "systemSettings.php" component until a patch is available to prevent exploitation of the XSS vulnerability. Restricting user input to prevent crafted payloads from being executed is also recommended. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `friendmonths` parameter within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider disabling access to the "/QueryView.php" endpoint or restricting the use of the `friendmonths` parameter until a patch is available. Avoid using the `friendmonths` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `FundRaiserID` parameter within the "/FundRaiserEditor.php" endpoint. **Recommendations** For ChurchCRM version 5.0.0, as a temporary workaround, consider restricting access to the "/FundRaiserEditor.php" endpoint until a patch is available. Avoid using the `FundRaiserID` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `birthmonth` and `percls` parameters within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider disabling access to the "/QueryView.php" API endpoint or restricting the use of the `birthmonth` and `percls` parameters until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `membermonth` parameter within the "/QueryView.php" endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider disabling access to the "/QueryView.php" endpoint or restricting the use of the `membermonth` parameter until a patch is available.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A Cross Site Scripting (XSS) issue allows a remote attacker to execute arbitrary code via a crafted payload to the `PersonView.php` component. This enables the attacker to perform unauthorized actions on the affected system. **Recommendations** For ChurchCRM version 5.0.0, update to a version that includes a fix for this issue, as no specific workaround is provided for this version. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `value` and `custom` parameters within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, as a temporary workaround, consider restricting access to the "/QueryView.php" endpoint or disabling the use of the `value` and `custom` parameters until a patch is available. Avoid using the `value` and `custom` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `PropertyID` parameter within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider disabling access to the "/QueryView.php" endpoint until a patch is available, or restrict the use of the `PropertyID` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** The issue allows a remote attacker to obtain sensitive information via the `searchstring` and `searchwhat` parameters within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider disabling the "/QueryView.php" endpoint or restricting access to it until a patch is available. Avoid using the `searchstring` and `searchwhat` parameters in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `group` parameter within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, update to a version that includes a fix for this issue, as using the `group` parameter in the "/QueryView.php" endpoint can lead to sensitive information disclosure. As a temporary workaround, consider restricting access to the "/QueryView.php" endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** The issue allows a remote attacker to obtain sensitive information via the `volopp` parameter within the "/QueryView.php" API endpoint. This enables the attacker to inject SQL code, potentially leading to unauthorized data access. **Recommendations** For ChurchCRM version 5.0.0, update to a version that includes a fix for this issue, as using the `volopp` parameter in the "/QueryView.php" endpoint poses a significant risk. As a temporary workaround, consider restricting access to the "/QueryView.php" endpoint to minimize the risk of exploitation. Avoid using the `volopp` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.0.0 **Description** A SQL injection issue allows a remote attacker to obtain sensitive information via the `volopp1` and `volopp2` parameters within the "/QueryView.php" API endpoint. **Recommendations** For ChurchCRM version 5.0.0, consider restricting access to the "/QueryView.php" endpoint until a patch is available. As a temporary workaround, avoid using the `volopp1` and `volopp2` parameters in the affected API endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.