Mateusz-Sa

#9565of 53,632
28.9Total CVSS
Vulnerabilities · 4
Medium
2
High
2
PT-2026-30939
7.0
2026-04-07
Churchcrm · Churchcrm · CVE-2026-35572
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.5.3 Description ChurchCRM, an open-source church management system, is susceptible to Server-Side Request Forgery (SSRF). By providing a specially crafted URL within the Referer request header, an attacker can initiate HTTP/HTTPS requests to arbitrary hosts. The server then makes an outbound request to a domain controlled by the attacker, as confirmed by Outbound Asset Scanning Testing (OAST). Recommendations Update to version 6.5.3 or later.
PT-2025-51941
6.2
2025-12-17
Churchcrm · Churchcrm · CVE-2025-68401
**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.0.0 **Description** The application inadequately sanitizes or encodes user-supplied HTML/JS, leading to stored cross-site scripting (XSS). This allows an attacker to execute JavaScript in the browsers of other users viewing the content. The script can access web origin data and perform actions with the victim's privileges. If session cookies are not marked as HttpOnly, the script can read cookie data, potentially enabling session theft and account takeover. **Recommendations** Update to version 6.0.0 or later.
PT-2025-51358
6.9
2025-12-16
Churchcrm · Churchcrm · CVE-2025-67874
**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.5.0 **Description** The application returns passwords submitted by users in plain text within HTTP responses. This disclosure of credentials could lead to their compromise and potentially amplify the impact of other issues like Cross-Site Scripting (XSS), Improper Access Control (IDOR), and session fixation, allowing attackers to obtain user passwords. **Recommendations** Update to version 6.5.0 or later.
PT-2025-23259
8.8
2025-05-30
Unknown · Getsimple Cms · CVE-2025-48492
**Name of the Vulnerable Software and Affected Versions** GetSimple CMS versions 3.3.16 through 3.3.21 **Description** The issue allows an authenticated user with access to the Edit component to inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution (RCE). This issue is set to be patched in version 3.3.22. **Recommendations** For versions 3.3.16 through 3.3.21, update to version 3.3.22 to resolve the issue. As a temporary workaround, consider restricting access to the Edit component to minimize the risk of exploitation.