CVE-2023-38771

Name of the Vulnerable Software and Affected Versions ChurchCRM version 5.0.0

Description The issue allows a remote attacker to obtain sensitive information via the volopp parameter within the "/QueryView.php" API endpoint. This enables the attacker to inject SQL code, potentially leading to unauthorized data access.

Recommendations For ChurchCRM version 5.0.0, update to a version that includes a fix for this issue, as using the volopp parameter in the "/QueryView.php" endpoint poses a significant risk. As a temporary workaround, consider restricting access to the "/QueryView.php" endpoint to minimize the risk of exploitation. Avoid using the volopp parameter in the affected API endpoint until the issue is resolved.