PT-2026-30891 · Churchcrm · Churchcrm
Shingleskat
·
Published
2026-04-07
·
Updated
2026-04-07
·
CVE-2026-35578
CVSS v4.0
5.3
Medium
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
ChurchCRM versions prior to 7.0.0
Description
ChurchCRM is an open-source church management system. Prior to version 7.0.0, it was possible to create a link within the application that, when clicked by an authenticated user on the 'Cancel' button, would redirect them to a URL chosen by an attacker. This issue was observed in multiple areas of the application, including
DonatedItemEditor.php, where all instances of 'linkBack' should be assessed.Recommendations
Update to version 7.0.0 or later.
Exploit
Fix
Open Redirect
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Churchcrm