CVE-2024-25892

Name of the Vulnerable Software and Affected Versions ChurchCRM version 5.5.0

Description The issue concerns a Blind SQL Injection vulnerability, specifically a time-based attack, that can be exploited via the familyId GET parameter in the ConfirmReport.php file. This allows an attacker to potentially extract or manipulate sensitive data from the database.

Recommendations For ChurchCRM version 5.5.0, consider restricting access to the ConfirmReport.php file or disabling the use of the familyId GET parameter until a patch is available. Avoid using the familyId parameter in the affected endpoint to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.