ChurchCRM is an open-source church management system. Prior to 7.1.0, a SQL injection vulnerability exists in PropertyTypeEditor.php, part of the administration…

ChurchCRM, an open-source church management system, contains a SQL injection vulnerability in PropertyTypeEditor.php prior to version 7.1.0. The vulnerability was introduced when legacyFilterInput() function was replaced with sanitizeText(), removing SQL escaping protection. Authenticated users with MenuOptions role can exploit this to perform time-based blind injection attacks and exfiltrate database data including password hashes. The vulnerability exists in the administration functionality for managing property type categories. Fixed in version 7.1.0.