Pikpikcu

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a Reflected Cross-Site Scripting (XSS) issue on the login page. This is due to insufficient sanitization or encoding of the `username` parameter received from the URL. The value of the `username` parameter is directly displayed in the login page input element without filtering, enabling attackers to inject malicious JavaScript scripts. Successful exploitation can lead to the execution of scripts on the client side, potentially compromising sensitive data like session cookies or redirecting users to a malicious login form. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions: Fanwei E-Office versions <= 9.4 Description: An unauthenticated file upload issue exists in the web management interface, affecting the "/general/index/UploadFile.php" endpoint. This endpoint improperly validates uploaded files when invoked with certain parameters, such as `uploadType=eoffice logo` or `uploadType=theme`. An attacker can exploit this by sending a crafted HTTP POST request to upload arbitrary files without authentication, potentially enabling remote code execution on the affected server. This could lead to the complete compromise of the web application and the underlying system. Recommendations: For Fanwei E-Office versions <= 9.4, as a temporary workaround, consider disabling the "/general/index/UploadFile.php" endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using the `uploadType` parameter in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.