CVE-2024-25894 in ChurchCRM
Summary
by MITRE • 02/21/2024
ChurchCRM 5.5.0 /EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EventCount POST parameter.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/17/2025
ChurchCRM version 5.5.0 contains a critical blind time-based sql injection vulnerability in the EventEditor.php component that allows remote attackers to execute arbitrary database commands without authentication. This vulnerability specifically affects the EventCount POST parameter which is improperly validated and sanitized before being incorporated into sql query constructions. The flaw enables attackers to infer database content through timing variations in response times, making it particularly dangerous as it operates silently without direct error messages. The vulnerability stems from inadequate input validation and improper parameter handling within the web application's backend processing logic. According to CWE-89, this represents a classic sql injection weakness where attacker-controlled data is directly concatenated into sql statements without proper sanitization or parameterization. The attack vector requires a simple http post request containing malicious payload in the EventCount parameter, making exploitation straightforward for attackers with basic web application penetration testing skills.
The operational impact of this vulnerability extends beyond simple data exfiltration as it provides attackers with complete database access capabilities including read and write operations. An attacker could potentially extract sensitive information such as user credentials, personal identification data, and organizational details stored within the church management system. The time-based nature of the injection means that attackers can perform automated enumeration attacks by measuring response delays to infer database structure and content. This vulnerability affects the core functionality of ChurchCRM's event management system, potentially compromising the integrity of all calendar events, participant information, and associated organizational data. The lack of authentication requirements makes this particularly dangerous in environments where the application is exposed to untrusted networks or where default configurations have not been properly secured.
Mitigation strategies should include immediate patching of ChurchCRM to version 5.5.1 or later where this vulnerability has been addressed through proper input sanitization and parameterized query implementation. Network segmentation and firewall rules should be implemented to restrict access to the EventEditor.php endpoint to authorized administrative users only. Web application firewalls should be configured to monitor and block suspicious post parameters containing sql injection patterns. Input validation should be strengthened at multiple layers including client-side and server-side sanitization routines. The principle of least privilege should be enforced by ensuring that database connections used by ChurchCRM have minimal required permissions and are not granted administrative privileges. Security monitoring should be implemented to detect unusual timing patterns in http responses that may indicate active exploitation attempts. This vulnerability aligns with ATT&CK technique T1190 for exploitation of remote services and T1071.004 for application layer protocol traffic. Organizations should conduct comprehensive security assessments of their church management systems and ensure all third-party applications are kept current with security patches. Regular vulnerability scanning and penetration testing should be performed to identify similar injection flaws in other web applications within the organization's infrastructure.