| tiêu đề | https://github.com/phili67/ecclesiacrm Ecclesia CRM < 8.0.0 SQL Injection |
|---|
| Mô tả | A critical SQL injection vulnerability was discovered in EcclesiaCRM v8.0.0 within the Query Viewer component. The flaw exists in the /v2/query/view/{id} endpoint, specifically inside the ValidateInput and ProcessSQL functions located in src/v2/templates/query/queryview.php. The application fails to properly neutralize special elements in SQL commands, allowing authenticated users to inject malicious payloads into query parameters such as custom or value. Because the software utilizes insecure string substitution via str_replace to build database queries instead of prepared statements, an attacker can execute arbitrary SQL commands to exfiltrate sensitive data, including administrative usernames, password hashes, and personal member records. Furthermore, the application exacerbates the risk by leaking the full constructed SQL query within HTML comments, providing attackers with the necessary technical details to refine their injection strings and confirm successful exploitation. |
|---|
| Nguồn | ⚠️ https://github.com/NicolasPauferro/studiessqli |
|---|
| Người dùng | Nicolas Pauferro (UID 96903) |
|---|
| Đệ trình | 30/03/2026 03:21 (cách đây 23 ngày) |
|---|
| Kiểm duyệt | 19/04/2026 18:46 (21 days later) |
|---|
| Trạng thái | được chấp nhận |
|---|
| Mục VulDB | 358262 [phili67 Ecclesia CRM đến 8.0.0 Query Viewer /v2/query/view/ ValidateInput custom Tiêm SQL] |
|---|
| điểm | 20 |
|---|