CVE-2024-25891 in ChurchCRMinfo

Summary

by MITRE • 02/21/2024

ChurchCRM 5.5.0 FRBidSheets.php is vulnerable to Blind SQL Injection (Time-based) via the CurrentFundraiser GET parameter.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 08/30/2024

ChurchCRM version 5.5.0 contains a critical blind time-based sql injection vulnerability in the FRBidSheets.php script that allows remote attackers to execute arbitrary database commands without authentication. This vulnerability specifically affects the CurrentFundraiser GET parameter which is improperly validated and sanitized before being incorporated into sql queries. The flaw enables attackers to infer database content through timing delays in query execution, making it particularly dangerous as it operates silently without immediate detection. The vulnerability stems from insufficient input validation and improper parameter handling within the application's data processing pipeline, creating an attack surface where user-supplied data directly influences sql statement construction. According to cwe standards, this represents a classic cwe-89 sql injection weakness where the application fails to properly escape or parameterize user input. The attack vector operates through a time-based blind technique where malicious payloads cause intentional delays in database response times, allowing attackers to extract information character by character through careful timing analysis. This vulnerability aligns with attack techniques documented in the mitre att&ck framework under initial access and credential access domains, specifically targeting the sql injection tactic and technique. The operational impact includes potential data exfiltration, unauthorized access to sensitive church member information, and possible system compromise through further exploitation. Organizations running ChurchCRM 5.5.0 are at significant risk as the vulnerability can be exploited remotely without requiring authentication credentials, making it particularly attractive to threat actors targeting religious organizations. The vulnerability exists due to inadequate application security controls and failure to implement proper input sanitization mechanisms. Mitigation strategies should include immediate patching to the latest ChurchCRM version, implementing proper parameterized queries, and deploying web application firewalls to monitor and block suspicious sql injection attempts. Additionally, organizations should conduct comprehensive security assessments of their web applications and implement input validation controls to prevent similar vulnerabilities from occurring in other components of their software infrastructure. The vulnerability demonstrates the critical importance of secure coding practices and proper database access controls in applications handling sensitive personal information.

Reservation

02/12/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00578

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!