Adrianjunge

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is an open-source church management system. An SQL injection issue exists in the `/SettingsUser.php` endpoint in versions prior to 7.1.0. Authenticated administrative users can inject arbitrary SQL statements through the `type` array parameter via the `index` and potentially extract or modify database information. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains an SQL injection flaw in the `/PropertyTypeEditor.php` endpoint. Authenticated users with the `isMenuOptionsEnabled` role can inject SQL statements through the `Name` and `Description` parameters, potentially allowing them to extract and modify database information. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is susceptible to a second-order SQL injection issue in the `/FundRaiserEditor.php` endpoint. An authenticated user, without specific privileges, can inject arbitrary SQL statements through the `iCurrentFundraiser` PHP session parameter, potentially allowing them to extract and modify database information. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains a SQL injection flaw in the `/MemberRoleChange.php` endpoint. Authenticated users with the 'Manage Groups & Roles' role can inject SQL statements through the `NewRole` parameter, potentially allowing them to extract and modify database information. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains a SQL injection issue in the `/EventNames.php` file. Authenticated users with AddEvent privileges can inject SQL through the `newEvtTypeCntLst` parameter when creating event types. The vulnerability occurs within an ON DUPLICATE KEY UPDATE clause where user-supplied input is directly included without proper sanitization. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains an SQL injection issue in the `/PropertyAssign.php` endpoint. Authenticated users with Manage Groups & Roles (ManageGroups) and Edit Records (isEditRecordsEnabled) permissions can inject arbitrary SQL statements through the `Value` parameter, potentially allowing them to extract and modify database information. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is an open-source church management system. Prior to version 7.1.0, an SQL injection vulnerability exists in the `/SettingsIndividual.php` endpoint. Authenticated users can inject arbitrary SQL statements through the `type` array parameter via the `index` and extract or modify database information. Recommendations Update to version 7.1.0 or later.