CVE-2024-25896 in ChurchCRMinfo

Summary

by MITRE • 02/21/2024

ChurchCRM 5.5.0 EventEditor.php is vulnerable to Blind SQL Injection (Time-based) via the EID POST parameter.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 03/17/2025

ChurchCRM version 5.5.0 contains a critical blind time-based sql injection vulnerability in the EventEditor.php component that allows remote attackers to execute arbitrary database commands without authentication. The vulnerability specifically affects the EID POST parameter which is not properly sanitized or validated before being processed by the application's database query execution logic. This flaw enables attackers to infer database content through timing delays in query responses, making it particularly dangerous as it can be exploited to extract sensitive information from the underlying mysql database. The vulnerability stems from insufficient input validation and improper parameter handling within the application's backend processing layer, creating a path for malicious sql payloads to be executed against the database server.

The technical exploitation of this vulnerability follows a time-based blind sql injection pattern where attackers craft malicious payloads that cause the database to delay responses based on boolean conditions. When the EID parameter is submitted with crafted sql injection content, the application processes this input directly within sql queries without proper sanitization or parameterization. This allows attackers to construct payloads that force the database to wait for specific time intervals when certain conditions are met, thereby enabling them to extract data character by character through timing analysis. The vulnerability aligns with common weakness enumeration CWE-89 which describes improper neutralization of special elements used in sql commands, and maps to attack techniques in the attack tree under CWE-459 where incomplete input validation leads to sql injection vulnerabilities.

The operational impact of this vulnerability is severe as it provides attackers with unauthorized access to the church management database containing sensitive information including member records, financial data, and personal details. An attacker could potentially extract all database contents, modify existing records, or even delete critical information that could compromise the privacy and security of church members. The vulnerability affects the entire ChurchCRM application and impacts all users who have access to the EventEditor.php interface, making it particularly concerning for organizations that rely heavily on the platform for managing their community data. Given the nature of the data typically stored in such systems, the potential for identity theft, financial fraud, and privacy violations is significant.

Organizations using ChurchCRM version 5.5.0 should immediately implement multiple layers of mitigation strategies to protect against this vulnerability. The most critical immediate action is to upgrade to a patched version of ChurchCRM that addresses this sql injection flaw through proper input validation and parameterized queries. Additionally, network-based mitigations such as web application firewalls should be configured to detect and block suspicious sql injection patterns targeting the EventEditor.php endpoint. Input validation should be strengthened at both the application and network levels to ensure that all POST parameters including EID are properly sanitized before processing. Database access controls should be reviewed to limit the privileges of the application's database user account, reducing the potential impact of successful exploitation. Regular security assessments and penetration testing should be conducted to identify similar vulnerabilities within the application's codebase, with particular attention to sql injection points throughout the software architecture. The vulnerability also highlights the importance of following secure coding practices including parameterized queries and input validation as recommended in industry standards such as the owasp top ten and iso/iec 27001 security requirements.

Reservation

02/12/2024

Disclosure

02/21/2024

Moderation

accepted

CPE

ready

EPSS

0.00427

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!