blakduk/Advisories

Releases0

Stars2

CVE History

CVE	Published	CVSS v3	CVSS v2
CVE-2023-24684 ↗	Feb 9, 2023Thursday, 9 February 2023, 22:15	7.2 HIGH	—
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the EID parameter at GetText.php.
CVE-2023-24685 ↗	Feb 9, 2023Thursday, 9 February 2023, 22:15	7.2 HIGH	—
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter under the Event Attendance reports module.
CVE-2023-24686 ↗	Feb 9, 2023Thursday, 9 February 2023, 22:15	4.8 MEDIUM	—
An issue in the CSV Import function of ChurchCRM v4.5.3 and below allows attackers to execute arbitrary code via importing a crafted CSV file.
CVE-2023-24690 ↗	Feb 9, 2023Thursday, 9 February 2023, 22:15	5.4 MEDIUM	—
ChurchCRM 4.5.3 and below was discovered to contain a stored cross-site scripting (XSS) vulnerability at /api/public/register/family.
CVE-2023-24689 ↗	Feb 9, 2023Thursday, 9 February 2023, 20:15	4.3 MEDIUM	—
An issue in Mojoportal v2.7.0.0 and below allows an authenticated attacker to list all css files inside the root path of the webserver via manipulation of the "s" parameter in /DesignTools/ManageSkin.aspx
CVE-2023-24322 ↗	Feb 9, 2023Thursday, 9 February 2023, 20:15	6.1 MEDIUM	—
A reflected cross-site scripting (XSS) vulnerability in the FileDialog.aspx component of mojoPortal v2.7.0.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the ed and tbi parameters.
CVE-2023-24323 ↗	Feb 9, 2023Thursday, 9 February 2023, 20:15	8.8 HIGH	—
Mojoportal v2.7 was discovered to contain an authenticated XML external entity (XXE) injection vulnerability.
CVE-2023-24687 ↗	Feb 9, 2023Thursday, 9 February 2023, 20:15	5.4 MEDIUM	—
Mojoportal v2.7.0.0 was discovered to contain a stored cross-site scripting (XSS) vulnerability in the Company Info Settings component. This vulnerability allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the txtCompanyName parameter.
CVE-2023-24688 ↗	Feb 9, 2023Thursday, 9 February 2023, 20:15	5.3 MEDIUM	—
An issue in Mojoportal v2.7.0.0 allows an unauthenticated attacker to register a new user even if the Allow User Registrations feature is disabled.
CVE-2021-37499 ↗	Jan 20, 2023Friday, 20 January 2023, 12:15	6.5 MEDIUM	—
CRLF vulnerability in Reprise License Manager (RLM) web interface through 14.2BL4 in the password parameter in View License Result function, that allows remote attackers to inject arbitrary HTTP headers.
CVE-2021-37500 ↗	Jan 20, 2023Friday, 20 January 2023, 12:15	8.1 HIGH	—
Directory traversal vulnerability in Reprise License Manager (RLM) web interface before 14.2BL4 in the diagnostics function that allows RLM users with sufficient privileges to overwrite any file the on the server.
CVE-2021-37498 ↗	Jan 20, 2023Friday, 20 January 2023, 12:15	6.5 MEDIUM	—
An SSRF issue was discovered in Reprise License Manager (RLM) web interface through 14.2BL4 that allows remote attackers to trigger outbound requests to intranet servers, conduct port scans via the actserver parameter in License Activation function.