Blind SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2024-25896

Currently unrated

Key Information:

Vendor: ChurchCRM
Status: ChurchCRM
Vendor: CVE Published:; 21 February 2024

What is CVE-2024-25896?

A vulnerability has been identified in ChurchCRM version 5.5.0, specifically within the EventEditor.php file. This flaw allows an attacker to exploit the EID POST parameter, leading to the possibility of executing time-based blind SQL injection attacks. This type of vulnerability can allow unauthorized users to interact with the database, potentially exposing sensitive data or manipulating the database through crafted requests. Addressing this issue promptly is essential for maintaining the security integrity of applications relying on ChurchCRM.

References

https://github.com/ChurchCRM/CRM/issues/6854

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 21, 2024
Vulnerability Reserved
Feb 12, 2024