CVE-2020-28849

{"id": "CVE-2020-28849", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2023-08-11T14:15:11.237", "references": [{"url": "https://github.com/ChurchCRM/CRM/issues/5477", "tags": ["Exploit", "Issue Tracking"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Cross Site Scripting (XSS) vulnerability in ChurchCRM version 4.2.1, allows remote attckers to execute arbitrary code and gain sensitive information via crafted payload in Add New Deposit field in View All Deposit module."}, {"lang": "es", "value": "Una vulnerabilidad de Cross-Site Scripting (XSS) en ChurchCRM v4.2.1 permite a atacantes remotos ejecutar c\u00f3digo arbitrario y obtener informaci\u00f3n confidencial a trav\u00e9s de un payload manipulado en el campo \"Add New Deposit\" del m\u00f3dulo \"View All Deposit\". "}], "lastModified": "2023-08-17T01:55:09.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2B81A55D-F3F1-4217-BAED-3DC4A7F24DF9", "versionEndIncluding": "4.2.1"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}