CVE-2025-1132

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1132

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1132.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1132

Published

2025-02-19T09:15:10.417Z

Modified

2026-03-12T17:35:06.443525Z

Severity

8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

[none]

Details

A time-based blind SQL Injection vulnerability exists in the ChurchCRM 5.13.0 and prior EditEventAttendees.php within the EN_tyid parameter. The parameter is directly inserted into an SQL query without proper sanitization, allowing attackers to inject malicious SQL commands. Please note that the vulnerability requires Administrator permissions. This flaw can potentially allow attackers to delay the response, indicating the presence of an SQL injection vulnerability. While it is a time-based blind injection, it can be exploited to gain insights into the underlying database, and with further exploitation, sensitive data could be retrieved.

References

https://github.com/ChurchCRM/CRM/issues/7251

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type

GIT

Repo

https://github.com/churchcrm/crm

Events

Introduced

Last affected

b8163e4a02ea7ce0386296f91a5e78feda566b4c

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.13.0"
        }
    ]
}

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.9

2.10.0

2.10.1

2.10.2

2.10.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.0-RC1

2.8.0-RC2

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.0-RC1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

5.*

5.0.0

5.0.0-beta1

5.0.0-beta2

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.1

5.10.0

5.11.0

5.12.0

5.13.0

5.2.0

5.2.1

5.2.2

5.2.3

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.6.0

5.7.0

5.8.0

5.9.1

5.9.2

5.9.3

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1132.json"