Can you explain this vulnerability to me?

CVE-2026-35566 is a critical SQL injection vulnerability in ChurchCRM versions 7.0.5 and earlier. It occurs because a session variable ($_SESSION['iCurrentFundraiser']) is used directly in an SQL query without proper integer validation or quoting. The input originates from a GET parameter 'FundRaiserID' that is filtered without enforcing it as an integer, allowing malicious input to be injected into the SQL query.

This vulnerability allows an attacker to manipulate the SQL query structure by injecting malicious payloads, leading to unauthorized data access or modification.

Useful 0 Not Useful 0

How can this vulnerability impact me? :

An authenticated attacker exploiting this vulnerability can extract sensitive data such as administrator usernames and password hashes, execute arbitrary SQL queries, bypass authentication, and manipulate or delete database records.

Useful 0 Not Useful 0

How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by observing unusual behavior related to the FundRaiserID parameter in HTTP requests and by testing for SQL injection in the session variable $_SESSION['iCurrentFundraiser'] used in SQL queries.

A practical detection method involves sending crafted HTTP requests to the FundRaiserEditor.php endpoint with malicious payloads in the FundRaiserID parameter to see if the system is vulnerable to SQL injection.

For example, you can use curl commands to test for time-based blind SQL injection by injecting payloads that cause delays if the injection is successful.

• curl -i "http://yourchurchcrmserver/FundRaiserEditor.php?FundRaiserID=1+UNION+SELECT+0,0,0,0,usr_UserName,usr_Password,usr_Style,0,usr_apiKey,CHAR(48),CHAR(48),CHAR(48),CHAR(48),CHAR(48),CHAR(48)+FROM+user_usr+WHERE+usr_per_ID=1+AND+(SELECT+SLEEP(2))--"

If the HTTP response is delayed by approximately 2 seconds, it indicates the presence of the SQL injection vulnerability.

Useful 0 Not Useful 0

What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability immediately, you should upgrade ChurchCRM to version 7.1.0 or later where the issue is fixed.

If upgrading is not immediately possible, apply the following code changes to enforce integer validation and casting:

• In src/FundRaiserEditor.php, specify the 'int' type when filtering input: $iFundRaiserID = InputUtils::legacyFilterInputArr($_GET, 'FundRaiserID', 'int');
• In src/Reports/FundRaiserStatement.php, cast the session variable to integer before use: $iFundRaiserID = (int) $_SESSION['iCurrentFundraiser'];

These changes ensure that the FundRaiserID is properly validated as an integer, preventing malicious SQL injection payloads from being executed.

Additionally, restrict access to authenticated users only and monitor logs for suspicious activity related to FundRaiserID parameters.

Useful 0 Not Useful 0

How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

This SQL injection vulnerability allows authenticated attackers to extract sensitive data such as admin usernames, password hashes, and database structure. Such unauthorized access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal and sensitive information.

By enabling attackers to bypass authentication and manipulate or delete database records, the vulnerability increases the risk of data integrity and confidentiality violations, further impacting compliance with these standards.

Useful 0 Not Useful 0