Georgios Bitounis

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the `CurrentFundraiser` GET parameter in the FRBidSheets.php file. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the FRBidSheets.php file or disabling the use of the `CurrentFundraiser` parameter until a patch is available. Avoid using the `CurrentFundraiser` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically a time-based attack, that can be exploited via the `familyId` GET parameter in the ConfirmReport.php file. This allows an attacker to potentially extract or manipulate sensitive data from the database. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the ConfirmReport.php file or disabling the use of the `familyId` GET parameter until a patch is available. Avoid using the `familyId` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, in the FRCertificates.php file. This vulnerability can be exploited via the `CurrentFundraiser` GET parameter. **Recommendations** For ChurchCRM version 5.5.0, as a temporary workaround, consider restricting access to the FRCertificates.php file until a patch is available. Avoid using the `CurrentFundraiser` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the `EventCount` POST parameter in the `/EventEditor.php` endpoint. This allows for potential unauthorized access to database information. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the `/EventEditor.php` endpoint until a patch is available. As a temporary workaround, avoid using the `EventCount` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** A reflected cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via the `type` parameter of the "/EventAttendance.php" API endpoint. This enables attackers to execute malicious scripts on the victim's browser, potentially leading to unauthorized actions or data theft. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the "/EventAttendance.php" endpoint until a patch is available, and avoid using the `type` parameter in this endpoint to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the `EID` parameter in the `EventEditor.php` file. This allows for potential unauthorized access to database information. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the `EventEditor.php` file until a patch is available, and avoid using the `EID` parameter in the affected POST requests to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, in the FRCatalog.php file. This vulnerability can be exploited via the `CurrentFundraiser` GET parameter in the API endpoint. **Recommendations** For ChurchCRM version 5.5.0, as a temporary workaround, consider restricting access to the FRCatalog.php file or disabling the use of the `CurrentFundraiser` parameter until a patch is available. Avoid using the `CurrentFundraiser` parameter in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** A XSS issue was found in the functionality to edit events, where malicious JS or HTML code can be inserted in the `Event Sermon` field in `EventEditor.php`. This allows for the potential execution of malicious code. **Recommendations** For ChurchCRM version 5.5.0, consider disabling the editing of events or restricting access to the `EventEditor.php` file until a patch is available. Avoid inserting untrusted input into the `Event Sermon` field to minimize the risk of exploitation.