CVE-2025-66397
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Broken Access Control issue in the Kiosk Manager feature of ChurchCRM versions prior to 6.5.3. It allows any authenticated user, not just administrators, to perform administrative actions such as allowing and accepting kiosk registrations, reloading kiosks, and identifying kiosks by sending crafted HTTP POST requests to specific API endpoints. This happens because the affected functions lack proper authorization checks, enabling low-privilege users to execute actions intended only for administrators. [1]
How can this vulnerability impact me? :
The vulnerability allows unauthorized authenticated users to disrupt kiosk services by performing administrative actions. This can affect the availability and integrity of kiosks, potentially causing service disruptions or unauthorized changes to kiosk registrations and operations. Because low-privilege users can execute these actions remotely without special conditions, the impact includes high integrity and availability risks. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to perform administrative Kiosk Manager actions as a low-privilege authenticated user. Specifically, after logging in and extracting the session cookie, you can issue cURL POST requests to the vulnerable endpoints such as `/churchcrm/api/kiosks/allowRegistration`, `/churchcrm/api/kiosks/[ID]/acceptKiosk`, `/churchcrm/api/kiosks/[ID]/reloadKiosk`, and `/churchcrm/api/kiosks/[ID]/identifyKiosk`. If these requests succeed despite the user lacking administrative privileges, the system is vulnerable. Example commands include: curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/allowRegistration curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/acceptKiosk curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/reloadKiosk curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/identifyKiosk [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade ChurchCRM to version 6.5.3 or later, where the broken access control issue in the Kiosk Manager feature is fixed. This update implements strict authorization checks ensuring only administrators can perform the affected actions. Until the upgrade can be applied, restrict access to the vulnerable endpoints and monitor for suspicious activity from low-privilege users attempting to access these API endpoints. [1]