Penteztzmiczo

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A time-based blind SQL Injection vulnerability exists in the EditEventAttendees.php file within the `EN tyid` parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved. The vulnerability requires Administrator permissions. **Recommendations** For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider restricting access to the `EditEventAttendees.php` file and the `EN tyid` parameter to minimize the risk of exploitation. Avoid using the `EN tyid` parameter in the affected API endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A boolean-based and time-based blind SQL Injection vulnerability exists in the DonatedItemEditor functionality, allowing an attacker to execute arbitrary SQL queries. The `CurrentFundraiser` parameter is directly concatenated into an SQL query without sufficient sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges. **Recommendations** For ChurchCRM versions 5.13.0 and prior, consider disabling the `DonatedItemEditor` functionality until a patch is available to prevent exploitation of the SQL Injection vulnerability. Restrict access to the `CurrentFundraiser` parameter to minimize the risk of database query manipulation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A boolean-based and time-based blind SQL Injection vulnerability exists in the BatchWinnerEntry functionality, allowing an attacker to execute arbitrary SQL queries. The `CurrentFundraiser` parameter is directly concatenated into an SQL query without sufficient sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges. **Recommendations** For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the `BatchWinnerEntry` functionality until a patch is available. Restrict access to the `CurrentFundraiser` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.13.0 **Description** A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary JavaScript in a victim's browser via Reflected Cross-Site Scripting (XSS) in the EditEventAttendees.php page. This requires Administration privileges and affects the `EID` parameter. The flaw allows an attacker to steal session cookies, perform actions on behalf of an authenticated user, and gain unauthorized access to the application. **Recommendations** For ChurchCRM version 5.13.0, as a temporary workaround, consider disabling access to the EditEventAttendees.php page or restricting the use of the `EID` parameter until a patch is available. Avoid using the `EID` parameter in the affected page to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A boolean-based blind SQL Injection vulnerability exists in the EditEventAttendees functionality, allowing an attacker to execute arbitrary SQL queries. The `EID` parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion. This issue requires Administrator privileges. **Recommendations** For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the EditEventAttendees functionality until a patch is available. Restrict access to the `EID` parameter to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A time-based blind SQL Injection vulnerability exists in the EditEventTypes functionality, allowing an attacker to execute arbitrary SQL queries. The `newCountName` parameter is directly concatenated into an SQL query without proper sanitization, enabling an attacker to manipulate database queries and execute arbitrary commands. This could potentially lead to data exfiltration, modification, or deletion. **Recommendations** For ChurchCRM versions 5.13.0 and prior, as a temporary workaround, consider disabling the EditEventTypes functionality until a patch is available. Restrict access to the `newCountName` parameter in the affected functionality to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 5.13.0 and prior **Description** A Stored Cross Site Scripting (XSS) vulnerability exists in the Group Editor page, allowing attackers to hijack user sessions. Admin users can inject malicious JavaScript in the description field, capturing the session cookie of authenticated users. The cookie can then be sent to an external server, enabling session hijacking and potentially leading to information disclosure, as exposed session cookies can be used to impersonate users and gain unauthorized access to sensitive information. **Recommendations** For ChurchCRM versions 5.13.0 and prior, consider disabling the Group Editor page or restricting access to it until a patch is available. As a temporary workaround, avoid using the description field in the Group Editor page to prevent malicious JavaScript injection. Restrict access to sensitive information and monitor user activity for potential session hijacking attempts. At the moment, there is no information about a newer version that contains a fix for this vulnerability.