ChurchCRM has a SQL Injection via Unsanitized Array Keys in SettingsIndividual.php

Description

ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in ChurchCRM's SettingsIndividual.php where user-controlled array keys from the type POST parameter are used directly in SQL queries without sanitization. This allows any authenticated user to extract sensitive data from the database. This vulnerability is fixed in 7.1.0.

Affected Products

References

• https://github.com/ChurchCRM/CRM/security/advisories/GHSA-h7hg-f7cw-9xwc(x_refsource_CONFIRM)

Related News (1 articles)