CVE-2023-25348

Name of the Vulnerable Software and Affected Versions ChurchCRM version 4.5.3

Description The issue allows attackers to execute arbitrary code via a crafted Excel file, exploiting a CSV injection vulnerability. This vulnerability is present in the Last Name and First Name input fields when creating a new person.

Recommendations For ChurchCRM version 4.5.3, consider restricting input in the Last Name and First Name fields to prevent CSV injection attacks until a patch is available. As a temporary workaround, avoid using the Last Name and First Name input fields for creating new persons with potentially malicious data. At the moment, there is no information about a newer version that contains a fix for this vulnerability.