CVE-2025-67751
BaseFortify
Publication date: 2025-12-16
Last updated on: 2025-12-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in ChurchCRM allows an authenticated user with event management permissions to execute arbitrary SQL queries, potentially leading to unauthorized access, modification, or deletion of sensitive data such as user credentials, financial information, and personal data. This unauthorized data exposure and manipulation can result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and breaches. [1]
Can you explain this vulnerability to me?
CVE-2025-67751 is a high-severity SQL injection vulnerability in the ChurchCRM application, specifically in the EventEditor.php file before version 6.5.0. The vulnerability occurs because the EN_tyid POST parameter, used when creating a new event and selecting an event type, is not sanitized or type-checked before being embedded directly into a SQL query. An authenticated user with event management permissions (isAddEvent) can exploit this by injecting malicious SQL code into the EN_tyid parameter, allowing them to execute arbitrary SQL queries on the database. This can lead to unauthorized data access, modification, or deletion. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including unauthorized access to sensitive data such as user credentials, financial information, and personal data stored in the ChurchCRM database. An attacker with event management permissions can execute arbitrary SQL queries, potentially leading to data exfiltration, data modification, or deletion, resulting in a full compromise of the application's database and its availability. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by intercepting and analyzing POST requests to EventEditor.php, specifically looking at the EN_tyid parameter. A common detection method is to test for time-based blind SQL injection by injecting a payload such as: EN_tyid=1 AND (SELECT 1 FROM (SELECT(SLEEP(5)))a). If the server response is delayed by approximately 5 seconds, it confirms the vulnerability. This can be done using tools like curl or Burp Suite to modify POST parameters and observe response times. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading ChurchCRM to version 6.5.0 or later, where the vulnerability is fixed by replacing raw SQL queries with parameterized queries using the Propel ORM. If upgrading is not immediately possible, restrict event management permissions to trusted users only, monitor and log POST requests to EventEditor.php for suspicious activity, and consider applying custom patches that sanitize the EN_tyid parameter. Ultimately, applying the official fix that uses ORM-based queries is necessary to fully mitigate the risk. [2]