CVE-2025-1132

Published: Feb 19, 2025

Modified: Feb 19, 2025

PUBLISHED

Description

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.

Vendor	Product	Versions
ChurchCRM	ChurchCRM	affected `ChurchCRM 5.13.0 and prior`

Weaknesses (CWE)

CWE-89

References

https://github.com/ChurchCRM/CRM/issues/7251

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-1132

Description

Affected Products

Weaknesses (CWE)

References