SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2023-24684

7.2HIGH

Key Information:

Vendor: Churchcrm
Status: Churchcrm
Vendor: CVE Published:; 9 February 2023

What is CVE-2023-24684?

ChurchCRM versions 4.5.3 and earlier are susceptible to a SQL injection attack through the EID parameter in the GetText.php file. This flaw allows attackers to manipulate SQL queries, potentially leading to unauthorized access to sensitive data stored in the database. It is imperative for users of affected versions to apply security patches or updates promptly to mitigate the risk associated with this vulnerability.

References

https://github.com/ChurchCRM/CRM

http://churchcrm.io/

https://github.com/blakduk/Advisories/blob/main/ChurchCRM...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 9, 2023
Vulnerability Reserved
Jan 30, 2023

Churchcrm

What is CVE-2023-24684?

References

CVSS V3.1

Timeline