10Splayasec

**Nome do Software Vulnerável e Versões Afetadas** Versões do ChurchCRM anteriores à 6.5.4 **Descrição** O ChurchCRM é um sistema de gerenciamento de igrejas de código aberto. Existe uma vulnerabilidade de Cross-Site Scripting (XSS) Armazenado na página `GroupEditor.php`. Um usuário que cria uma função de grupo pode executar JavaScript malicioso, mas requer permissão para visualizar e modificar grupos. **Recomendações** Atualize para a versão 6.5.4 ou posterior.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.5.3 **Description** A stored cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via input fields, specifically the `Title` input field in `EventEditor.php`. **Recommendations** For ChurchCRM version 4.5.3, consider disabling the `Title` input field in `EventEditor.php` until a patch is available to prevent exploitation. Restrict access to `EventEditor.php` to minimize the risk of arbitrary web script or HTML injection. Avoid using the `Title` input field in the affected area until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 4.5.3 **Description** A stored Cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For ChurchCRM version 4.5.3, update to a version that fixes the stored XSS vulnerability in NoteEditor.php to prevent remote attackers from injecting arbitrary web script or HTML. At the moment, there is no information about a newer version that contains a fix for this vulnerability.