CVE-2024-39304

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 5.9.2

Description The issue is an authenticated SQL injection due to improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in a GET request to "/GetText.php".

Recommendations For versions prior to 5.9.2, update to version 5.9.2 to resolve the issue. As a temporary workaround, consider restricting access to the "/GetText.php" endpoint or sanitizing the EID parameter to minimize the risk of exploitation.