CSV Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2020-28848

8.8HIGH

Key Information:

Vendor: Churchcrm
Status: Churchcrm
Vendor: CVE Published:; 11 August 2023

What is CVE-2020-28848?

A CSV Injection vulnerability exists in ChurchCRM version 4.2.0, enabling remote attackers to execute arbitrary code through the manipulation of specially crafted CSV files. This security flaw poses a significant risk as it could be exploited to execute malicious commands on the server, leading to unauthorized access and potential data compromise. Users of this version should take immediate action to address this vulnerability and ensure the security of their systems.

References

https://github.com/ChurchCRM/CRM/issues/5465

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 11, 2023
Vulnerability Reserved
Nov 16, 2020

Churchcrm

What is CVE-2020-28848?

References

CVSS V3.1

Timeline