CVE-2023-25347

Name of the Vulnerable Software and Affected Versions ChurchCRM version 4.5.3

Description A stored cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via input fields, specifically the Title input field in EventEditor.php.

Recommendations For ChurchCRM version 4.5.3, consider disabling the Title input field in EventEditor.php until a patch is available to prevent exploitation. Restrict access to EventEditor.php to minimize the risk of arbitrary web script or HTML injection. Avoid using the Title input field in the affected area until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.