Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Alive Parish 2.0.4 SQL Injection and Arbitrary File Upload
Vulnerability Description
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vulnerability Type
跨站请求伪造(CSRF)
Vulnerability Title
Alive Parish 跨站请求伪造漏洞
Vulnerability Description
Alive Parish是terencemonteiro个人开发者的一个教会管理系统。 Alive Parish 2.0.4版本存在跨站请求伪造漏洞,该漏洞源于search端点中的key参数存在SQL注入,且images/uploaded目录存在任意文件上传,可能导致执行任意SQL查询或远程代码执行。
CVSS Information
N/A
Vulnerability Type
N/A