CVE-2025-68112

Опубликовано: 17 дек. 2025

Источник: nvd

CVSS3: 9.6

CVSS3: 8.8

EPSS Низкий

Описание

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, a SQL injection vulnerability in ChurchCRM's Event Attendee Editor allows authenticated users to execute arbitrary SQL commands, leading to complete database compromise, administrative credential theft, and potential system takeover. The vulnerability enables attackers to extract sensitive member data, authentication credentials, and financial information from the church management system. Version 6.5.3 contains a patch for the issue.

Ссылки

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
Exploit
Vendor Advisory
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-hxf4-3vhp-wqcq
Exploit
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

Версия до 6.5.3 (исключая)

EPSS

Процентиль: 13%

0.00042

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-89

EPSS

Процентиль: 13%

0.00042

Низкий

9.6 Critical

CVSS3

8.8 High

CVSS3

Дефекты

CWE-89