CVE-2025-67877
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to perform SQL injection attacks that can expose personally identifiable information (PII) and sensitive data such as admin password hashes. Exposure of such data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access. Therefore, the vulnerability poses a significant risk to compliance with these standards. [1]
Can you explain this vulnerability to me?
This vulnerability is a SQL injection in ChurchCRM versions prior to 6.5.3. It occurs in the src/CartToFamily.php file where the PersonAddress POST parameter is not properly type-checked or sanitized. Unlike other parameters that are cast to integers, PersonAddress lacks this protection, allowing an attacker to inject arbitrary SQL commands into the database query.
How can this vulnerability impact me? :
An attacker exploiting this SQL injection vulnerability could execute arbitrary SQL commands on the ChurchCRM database. This could lead to unauthorized data access, data modification, or deletion, potentially compromising sensitive information stored in the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the SQL injection vulnerability in the src/CartToFamily.php file related to the PersonAddress POST parameter.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'PersonAddress' POST parameter in the 'Add to Family' feature of ChurchCRM for SQL injection. You can attempt to send specially crafted POST requests with payloads such as 'PersonAddress=1 OR 1=1' to see if the query returns all records, indicating a Boolean-based SQL injection. For example, using curl to test the vulnerability: curl -X POST -d "PersonAddress=1 OR 1=1" https://yourchurchcrm.example.com/src/CartToFamily.php If the response contains more data than expected or reveals sensitive information, the system is vulnerable. Additionally, monitoring logs for unusual SQL errors or unexpected query results related to 'PersonAddress' can help detect exploitation attempts. [1]