2026-04-07 15:53:05
GitHub_M
PUBLISHED
ChurchCRM is an open-source church management system. Prior to 7.0.0, it was possible in many places across the ChurchCRM application to create a link that, when visited by an authenticated user, would redirect them to any URL chosen by an attacker if they clicked Cancel button on the page. For this write-up the DonatedItemEditor.php will be used as an example, however wherever all instances of linkBack should be assessed. This vulnerability is fixed in 7.0.0.