Alexander Bilz

**Name of the Vulnerable Software and Affected Versions** ChurchCRM versions 2.0.0 through 4.4.5 **Description** A SQL injection issue exists that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized `EN tyid`, `theID`, and `EID` fields used when an Edit action on an existing record is being performed. **Recommendations** For ChurchCRM versions 2.0.0 through 4.4.5, consider disabling the Edit action on existing records until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the fields `EN tyid`, `theID`, and `EID` to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.