| タイトル | ChurchCRM <= 5.18.0 SQL Injection |
|---|
| 説明 | SQL injection vulnerability in ChurchCRM's EditEventAttendees.php (line 60) where the EID parameter is directly concatenated into SQL queries without sanitization or parameterized statements. Any authenticated user can inject arbitrary SQL commands using UNION-based techniques to extract complete database contents including administrative credentials, church member personal information, financial records, and donation data. The vulnerability enables privilege escalation, data manipulation, and potential system takeover through database compromise. |
|---|
| ソース | ⚠️ https://github.com/uartu0/advisories/blob/main/churchcrm-sql-injection-2025.md |
|---|
| ユーザー | uartu0 (UID 90021) |
|---|
| 送信 | 2025年10月08日 05:16 (6 月 ago) |
|---|
| モデレーション | 2025年10月18日 14:53 (10 days later) |
|---|
| ステータス | 重複 |
|---|
| VulDBエントリ | 296272 [ChurchCRM 迄 5.13.0 EditEventAttendees EID SQLインジェクション] |
|---|
| ポイント | 0 |
|---|