Description

ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue.

INFO

Published Date :

2024-07-26T17:31:38.338Z

Last Modified :

2024-08-02T04:19:20.746Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2024-39304 vulnerability.

Vendors Products
Churchcrm
  • Churchcrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2024-39304.

URL Resource
https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08 cve-icon cve-icon
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact