Blind SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2024-25894

Currently unrated

Key Information:

Vendor: ChurchCRM
Status: ChurchCRM
Vendor: CVE Published:; 21 February 2024

What is CVE-2024-25894?

The EventEditor.php file in ChurchCRM version 5.5.0 is susceptible to a time-based Blind SQL Injection vulnerability through the EventCount POST parameter. This flaw could allow an attacker to manipulate SQL queries, potentially leading to unauthorized access to sensitive data or control of the underlying database. Immediate action is recommended to mitigate risks associated with exploitation.

References

https://github.com/ChurchCRM/CRM/issues/6849

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 12, 2024