CVE-2024-25896 identifies a Blind SQL Injection vulnerability in ChurchCRM version 5.5.0, specifically within the EventEditor.php script. The vulnerability arises from improper sanitization of the EID parameter in POST requests, allowing an attacker to inject malicious SQL code. This injection is time-based, meaning the attacker can infer database information by measuring response delays, even without direct data output. The vulnerability does not require authentication or user interaction, increasing its risk profile. The CVSS 3.1 score of 5.3 reflects a medium severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, and no user interaction needed. The impact is limited to integrity, as attackers can alter or manipulate database entries but cannot directly access confidential data or disrupt availability. No patches or official fixes have been linked yet, and no known exploits are reported in the wild. The vulnerability is categorized under CWE-89, indicating a failure to properly neutralize SQL commands, a common and critical web application security issue. Organizations using ChurchCRM 5.5.0 should assess their exposure and implement mitigations promptly.

The primary impact of this vulnerability is on data integrity within affected ChurchCRM installations. An attacker exploiting this flaw can manipulate event-related data, potentially altering or corrupting records without authorization. Although confidentiality and availability are not directly compromised, the integrity breach can undermine trust in the system and disrupt organizational operations reliant on accurate event data. Since exploitation requires no authentication and can be performed remotely, the attack surface is broad, especially for publicly accessible ChurchCRM deployments. The absence of known exploits in the wild reduces immediate risk but does not eliminate it, as attackers may develop exploits over time. Organizations that rely heavily on ChurchCRM for event management, especially those with public-facing interfaces, face increased risk of data tampering, which could lead to misinformation, scheduling conflicts, or reputational damage.

To mitigate CVE-2024-25896, organizations should first verify if they are running ChurchCRM version 5.5.0 and restrict public access to the EventEditor.php endpoint where feasible. Implementing strict input validation and sanitization on the EID POST parameter is critical. Employ parameterized queries or prepared statements in the application code to prevent SQL injection. If source code modification is not immediately possible, deploying a Web Application Firewall (WAF) with rules to detect and block SQL injection patterns targeting the EID parameter can provide interim protection. Regularly monitor database logs and application behavior for anomalies indicative of injection attempts. Organizations should also stay alert for official patches or updates from ChurchCRM and apply them promptly once available. Conducting security assessments and penetration testing focused on injection vulnerabilities can help identify and remediate similar issues proactively.