SQL Injection Vulnerability in ChurchCRM by ChurchCRM
CVE-2024-53438

9.8CRITICAL

Key Information:

Vendor: ChurchCRM
Status: ChurchCRM
Vendor: CVE Published:; 22 November 2024

What is CVE-2024-53438?

The EventAttendance.php file in ChurchCRM version 5.7.0 contains a SQL injection vulnerability. This issue arises when the 'Event' parameter is processed without adequate input sanitization, allowing attackers to manipulate the SQL query executed by the application. By exploiting this vulnerability, an attacker can execute arbitrary SQL commands, potentially leading to unauthorized access to, or manipulation of, the database. It's crucial for users of affected versions to apply patches and follow security best practices to mitigate this risk.

References

https://github.com/ChurchCRM/CRM/issues/6988

https://github.com/advisories/GHSA-gr5x-8j97-qq23

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 22, 2024