Welcome to the CVE disclosures section of this repository! Here, you'll find a list of potential security vulnerabilities that I have discovered while working on Free Open Source Software (FOSS) applications.
Below is a list of all the CVEs that I have discovered.
| Findings | Description |
|---|---|
| GHSA-hw47-q7r3-m8pj | A Stored Cross-Site Scripting (XSS) vulnerability has been detected in the ITFlow application. This flaw allows attackers to inject malicious code into the application, which can then be executed by a victim's browser. The threat actor can change a user's password on their behalf without the user's knowledge, resulting in a full account takeover. |
| CVE-2023-25346 | A reflected cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the id parameter of the /churchcrm/v2/family/not-found endpoint. |
| CVE-2023-25347 | A stored cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3, allows remote attackers to inject arbitrary web script or HTML via input fields. These input fields are located in the "Title" Input Field in EventEditor.php. |
| CVE-2023-25348 | ChurchCRM 4.5.3 contains a CSV/Formula injection vulnerability via the Last Name and First Name input fields when creating a new person. These vulnerabilities allow attackers to execute arbitrary code through a crafted Excel file, which could be potentially harmful. |
| CVE-2023-26839 | A cross-site request forgery (CSRF) vulnerability in ChurchCRM 4.5.3 allows attackers to edit information from existing people on the site. |
| CVE-2023-26840 | A cross-site request forgery (CSRF) vulnerability in ChurchCRM 4.5.3 allows attackers to set a person to a Administrator user. |
| CVE-2023-26841 | A cross-site request forgery (CSRF) vulnerability in ChurchCRM v4.5.3 allows attackers to change any user's password except for the user that is currently logged in. |
| CVE-2023-26842 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the OptionManager.php endpoint. |
| CVE-2023-26843 | A stored Cross-site scripting (XSS) vulnerability in ChurchCRM 4.5.3 allows remote attackers to inject arbitrary web script or HTML via the NoteEditor.php. |
| CVE-2023-31548 | A stored Cross-site scripting (XSS) vulnerability in the FundRaiserEditor.php component of ChurchCRM v4.5.3 allows attackers to execute arbitrary web scripts or HTML via a crafted payload. |
I will update this list as soon as any new vulnerabilities are found.