CNNVD-202601-4991 Information
CNNVD ID
CNNVD-202601-4991
Related CVE
- CNNVD Published: 2026-01-30
Description (Chinese)
ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 6.7.2之前版本存在跨站脚本漏洞,该漏洞源于对日历事件描述字段输入清理不当,可能导致存储型跨站脚本攻击和账户接管。
Description (English)
ChurchCRM is an open-source CRM system for the Church, which is an open-source source of ChunchCRM. The pre-ChurchCRM 6.7.2 version had a cross-site script loophole, which stemmed from the inappropriate clean-up of the description fields of calendar events, which could lead to storage-type cross-site script attacks and account take-overs.
Hazard Level
High
Vulnerability Type
跨站脚本
Affected Vendor
ChurchCRM
Published
2026-01-30
Last Modified
2026-02-24
References
https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914 https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28 https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767 https://access.redhat.com/security/cve/cve-2026-24855
Patch
https://churchcrm.io/install.html
Share on: