ChurchCRM is an open-source church management system. Prior to 7.1.0, a critical SQL injection vulnerability exists in ChurchCRM's PropertyTypeEditor.php where the Name and Description POST parameters are sanitized only with strip_tags() before direct concatenation into SQL queries. This allows authenticated users with "Manage Properties" permission to execute arbitrary SQL commands including data exfiltration, modification, and deletion. Injected data persists in the database and is reflected across multiple application pages without output encoding. This vulnerability is fixed in 7.1.0.
| Vendor | Product | Versions |
|---|---|---|
| churchcrm | crm | < 7.1.0 |
Updated affected versions to include 7.0.x, changed severity to CRITICAL, and noted that the vulnerability is actively exploited.
Initial creation
