| 제목 | ChurchCRM <= 5.18.0 SQL Injection |
|---|
| 설명 | SQL injection vulnerability in ChurchCRM's EditEventAttendees.php (line 60) where the EID parameter is directly concatenated into SQL queries without sanitization or parameterized statements. Any authenticated user can inject arbitrary SQL commands using UNION-based techniques to extract complete database contents including administrative credentials, church member personal information, financial records, and donation data. The vulnerability enables privilege escalation, data manipulation, and potential system takeover through database compromise. |
|---|
| 원천 | ⚠️ https://github.com/uartu0/advisories/blob/main/churchcrm-sql-injection-2025.md |
|---|
| 사용자 | uartu0 (UID 90021) |
|---|
| 제출 | 2025. 10. 08. AM 05:16 (6 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 18. PM 02:53 (10 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 296272 [ChurchCRM 까지 5.13.0 EditEventAttendees EID SQL 주입] |
|---|
| 포인트들 | 0 |
|---|