CVE-2025-1132

Critical CVSS: 9.3

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.

Vendor

Churchcrm

Product

Churchcrm

CWE

CWE-89

Yayın Tarihi

2025-02-19 09:15:10

Güncelleme

2025-02-25 21:48:03

Source Identifier

b7efe717-a805-47cf-8e9a-921fca0ce0ce

KEV Date Added

Kategoriler

CWE-89 Churchcrm CRITICAL Churchcrm 2025

Referanslar

https://github.com/ChurchCRM/CRM/issues/7251

Benzer Kayıtlar

Medium

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type syst…

Low

CVE-2026-26059

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated u…

High

CVE-2026-24854

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor…

High

CVE-2026-24855

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) v…

Low

CVE-2025-68399

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting…

Critical

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Repo…