Shingleskat

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.0.0 Description ChurchCRM is an open-source church management system. Prior to version 7.0.0, it was possible to create a link within the application that, when clicked by an authenticated user on the 'Cancel' button, would redirect them to a URL chosen by an attacker. This issue was observed in multiple areas of the application, including `DonatedItemEditor.php`, where all instances of 'linkBack' should be assessed. Recommendations Update to version 7.0.0 or later.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions prior to 6.8.2 **Description** ChurchCRM is an open-source church management system. An authenticated user with permission to edit groups could store a JavaScript payload that would execute when the group was viewed in the Group View. The `Group View` is the affected component. Version 6.8.2 resolves this issue. **Recommendations** Update to version 6.8.2 or later.