Sh4Dowalker

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM is an open-source church management system susceptible to SQL injection. The `NewRole` POST parameter in `src/MemberRoleChange.php` is used in an SQL query without sufficient integer validation. This allows authenticated users with the ManageGroups role to inject arbitrary SQL, requiring knowledge of a valid GroupID and PersonID, obtainable from GroupView or PersonView pages. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, has a SQL injection issue in the `GroupPropsFormRowOps.php` file. User input provided through the `Field` parameter is directly incorporated into SQL queries without sufficient sanitization. The `mysqli real escape string()` function fails to escape backtick characters, potentially enabling attackers to bypass SQL identifier context and execute arbitrary SQL statements. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description A critical SQL injection issue exists in ChurchCRM's `PropertyTypeEditor.php`. The `Name` and `Description` POST parameters are insufficiently sanitized using only `strip tags()` before being directly incorporated into SQL queries. This allows authenticated users with 'Manage Properties' permission to execute arbitrary SQL commands, potentially leading to data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description A critical SQL injection issue exists in ChurchCRM versions prior to 7.1.0. The vulnerability is located in src/Reports/FundRaiserStatement.php, where the `$ SESSION['iCurrentFundraiser']` value is used in an unquoted numeric SQL context without proper integer validation. This value originates from src/FundRaiserEditor.php, where InputUtils::legacyFilterInputArr() is called without specifying the 'int' type. This allows for potential manipulation of SQL queries. Recommendations Update to version 7.1.0 or later.

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 7.1.0 Description ChurchCRM, an open-source church management system, contains a SQL injection issue in its `SettingsIndividual.php` component. User-supplied data from the POST parameter, specifically array keys, is used directly in SQL queries without proper sanitization. This allows an authenticated user to extract sensitive data from the database. Recommendations Update to version 7.1.0 or later.

ChurchCRM is an open-source church management system. Prior to 7.1.0, authenticated users with Edit Records or Manage Groups permissions can exploit a time-based blind SQL injection vulnerability in the PropertyAssign.php endpoint to exfiltrate or modify any database content, including user credentials, personal identifiable information (PII), and configuration secrets. This vulnerability is fixed in 7.1.0.

**Name of the Vulnerable Software and Affected Versions** Sulu versions 1.0.0 through 2.6.21 Sulu versions 3.0.0 through 3.0.4 **Description** Sulu is a PHP content management system built on the Symfony framework. A user with permission to access the Sulu Admin interface, through at least one role, could access sub-entities of contacts via the admin API even without explicit permission for contacts. This occurs due to insufficient permission checks when accessing contact-related data through the admin API. The admin API endpoint is susceptible to unauthorized data access. The vulnerable parameter is not specified. **Recommendations** Update to Sulu version 2.6.22 or later. Update to Sulu version 3.0.5 or later. Create a Symfony Request Listener to verify permissions for specific roles.