CVE-2025-11529
BaseFortify
Publication date: 2025-10-09
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 5.19.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a security flaw in ChurchCRM versions up to 5.18.0, specifically in the AuthMiddleware function of the API Endpoint. It allows an attacker to bypass authentication remotely, meaning unauthorized users can access the system without proper credentials. The flaw results from manipulation that causes missing authentication checks.
How can this vulnerability impact me? :
The vulnerability can allow attackers to gain unauthorized access to the ChurchCRM system remotely. This can lead to exposure or modification of sensitive data, unauthorized actions within the system, and potential compromise of the integrity and availability of the application.
What immediate steps should I take to mitigate this vulnerability?
Apply the patch identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4 to the ChurchCRM software to remediate the missing authentication issue in the AuthMiddleware component.