ChurchCRM Error Impacts User Data
CVE-2024-39304

8.8HIGH

Key Information:

Vendor: ChurchCRM
Status: Churchcrm
Vendor: CVE Published:; 26 July 2024

What is CVE-2024-39304?

The Church Management System by ChurchCRM is exposed to an SQL injection vulnerability affecting versions prior to 5.9.2. This flaw arises from insufficient sanitization of user inputs, specifically the EID parameter in GET requests sent to '/GetText.php'. While authentication is required to exploit this vulnerability, attackers do not need elevated privileges, which increases the risk of unauthorized database manipulation. The vulnerability has been addressed in version 5.9.2, ensuring enhanced protection against potential attacks.

References

https://github.com/ChurchCRM/CRM/security/advisories/GHSA...

https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 26, 2024