CVE-2021-41965

Name of the Vulnerable Software and Affected Versions ChurchCRM versions 2.0.0 through 4.4.5

Description A SQL injection issue exists that allows an authenticated attacker to issue an arbitrary SQL command to the database through the unsanitized EN tyid, theID, and EID fields used when an Edit action on an existing record is being performed.

Recommendations For ChurchCRM versions 2.0.0 through 4.4.5, consider disabling the Edit action on existing records until a patch is available to prevent exploitation of the SQL injection vulnerability. Restrict access to the fields EN tyid, theID, and EID to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.