SB20240726101 - Multiple vulnerabilities in ChurchCRM

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) SQL injection (CVE-ID: CVE-2024-39306)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to SQL injection in the /GetText.php endpoint when processing a GET request with the EID parameter. A remote user can inject crafted SQL statements to execute arbitrary code.

Exploitation requires authentication but no elevated privileges, and may require determining a writable application-served file path depending on the deployment stack.

2) SQL injection (CVE-ID: CVE-2024-39304)

The vulnerability allows a remote user to manipulate the database and disclose sensitive information.

The vulnerability exists due to improper neutralization of special elements used in an SQL command in the EID parameter in /GetText.php when handling a GET request. A remote user can send a specially crafted request to manipulate the database and disclose sensitive information.

The issue is a blind SQL injection.

Remediation

Install update from vendor's website.

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-r2gf-5m64-8v39
• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9
• https://github.com/advisories/GHSA-2rh6-gr3h-83j9