CVE-2020-28849

Name of the Vulnerable Software and Affected Versions ChurchCRM version 4.2.1

Description The issue allows remote attackers to execute arbitrary code and gain sensitive information via a crafted payload in the Add New Deposit field in the View All Deposit module. This is a Cross Site Scripting (XSS) vulnerability.

Recommendations For ChurchCRM version 4.2.1, consider disabling the Add New Deposit field in the View All Deposit module as a temporary workaround until a patch is available. Restrict access to the View All Deposit module to minimize the risk of exploitation. Avoid using crafted payloads in the Add New Deposit field until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.