Loociprian

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains a cross-site scripting (XSS) issue. Input provided through the `EName` and `EDesc` parameters in the EditEventAttendees.php file can be rendered without proper encoding, allowing for the execution of arbitrary JavaScript code in a victim's browser. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description The application is susceptible to time-based SQL injection due to insufficient input validation. The `/Reports/ConfirmReportEmail.php?familyId=` endpoint does not properly sanitize user input when constructing SQL queries. Recommendations Update to version 7.1.0 or later.

**Name of the Vulnerable Software and Affected Versions** SeedDMS versions 6.0.18 and 5.1.25 and below **Description** The issue allows an attacker with admin privileges to inject a payload inside the "Role management" menu and then trigger the payload by loading the "Users management" menu, resulting in stored XSS. **Recommendations** For SeedDMS versions 6.0.18 and below, and 5.1.25 and below, consider disabling access to the "Role management" and "Users management" menus until a patch is available. As a temporary workaround, restrict the use of admin privileges to minimize the risk of exploitation.