CVE-2024-39304
published 2024-07-26CVE-2024-39304: ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an…
PriorityP262high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.98%
85.6th percentile
ChurchCRM is an open-source church management system. Versions of the application prior to 5.9.2 are vulnerable to an authenticated SQL injection due to an improper sanitization of user input. Authentication is required, but no elevated privileges are necessary. This allows attackers to inject SQL statements directly into the database query due to inadequate sanitization of the EID parameter in in a GET request to `/GetText.php`. Version 5.9.2 patches the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchcrm | churchcrm | < 5.9.2 | 5.9.2 |
| churchcrm | crm | < 5.9.2 | 5.9.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor GET requests to /GetText.php for SQL injection patterns in the EID parameter, including subqueries, UNION, SLEEP(), and load_file() calls. ↗
- →Alert on time-based blind SQLi using SLEEP() in GET requests to /GetText.php; a delay of 3 seconds is used in the documented payload. ↗
- →Detect UNION-based SQLi with 11-column UTF8 fingerprinting in the EID parameter of /GetText.php. ↗
- →Authentication is required but no elevated privileges are needed; alert on any authenticated low-privilege user triggering SQL errors or anomalous query patterns on /GetText.php. ↗
- ·The exploit PoC states 'No need for cookies, no need admin authentication', which contradicts the NVD description requiring authentication. Verify actual authentication requirements against the patched version (5.9.2) before tuning detection thresholds. ↗
- ·The vulnerability is fixed in ChurchCRM version 5.9.2; ensure detections target instances running versions prior to 5.9.2. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No advisories linked to this vulnerability.
No detection rules found.
No writeups or analysis indexed.
https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9https://github.com/ChurchCRM/CRM/commit/e3bd7bfbf33f01148df0ef1acdb0cf2c2b878b08https://github.com/ChurchCRM/CRM/security/advisories/GHSA-2rh6-gr3h-83j9
2024-07-26
Published