0Xiapetus

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the `EventCount` POST parameter in the `/EventEditor.php` endpoint. This allows for potential unauthorized access to database information. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the `/EventEditor.php` endpoint until a patch is available. As a temporary workaround, avoid using the `EventCount` parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ChurchCRM version 5.5.0 **Description** The issue concerns a Blind SQL Injection vulnerability, specifically time-based, that can be exploited via the `EID` parameter in the `EventEditor.php` file. This allows for potential unauthorized access to database information. **Recommendations** For ChurchCRM version 5.5.0, consider restricting access to the `EventEditor.php` file until a patch is available, and avoid using the `EID` parameter in the affected POST requests to minimize the risk of exploitation.