Описание
ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the EventEditor.php file. When creating a new event and selecting an event type, the EN_tyid POST parameter is not sanitized. This allows an authenticated user with event management permissions (isAddEvent) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.
Уязвимые конфигурации
Конфигурация 1Версия до 6.5.0 (исключая)
cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
EPSS
Процентиль: 9%
0.00033
Низкий
7.2 High
CVSS3
Дефекты
CWE-89
EPSS
Процентиль: 9%
0.00033
Низкий
7.2 High
CVSS3
Дефекты
CWE-89