CVE-2025-68109
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
| CWE-494 | The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code. |
| CWE-915 | The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified. |
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in ChurchCRM versions prior to 6.5.3 involves the Database Restore functionality not validating the content or file extension of uploaded files. An attacker can exploit this by uploading a malicious web shell file and then a .htaccess file to enable direct access to the web shell. This allows the attacker to execute remote code on the server.
How can this vulnerability impact me? :
The vulnerability can lead to remote code execution on the server hosting ChurchCRM, which means an attacker could run arbitrary commands, potentially taking control of the server, accessing sensitive data, or disrupting services.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the vulnerability related to the Database Restore functionality allowing remote code execution via uploaded web shells and .htaccess files.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows attackers to gain full remote code execution on the server, leading to complete system compromise including unauthorized access, modification, or deletion of sensitive data such as user data, financial records, and audit logs. Such unauthorized access and potential data breaches can result in non-compliance with common standards and regulations like GDPR and HIPAA, which mandate protection of personal and sensitive information. Therefore, exploitation of this vulnerability poses a significant risk to compliance with these regulations. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for the presence of uploaded web shell files and .htaccess files that enable access to them on the ChurchCRM server, especially if the version is prior to 6.5.3. You can scan the web server directories for suspicious files that are not typical database backups, such as files with web shell code or unexpected .htaccess files. Commands to help detect this include: 1) Searching for recently modified or uploaded files in the upload or backup directories, e.g., `find /path/to/churchcrm/uploads -type f -mtime -30` to find files modified in the last 30 days. 2) Grepping for common web shell signatures or suspicious PHP code, e.g., `grep -r --include=*.php 'eval(' /path/to/churchcrm/uploads` or `grep -r 'shell_exec' /path/to/churchcrm/uploads`. 3) Checking for .htaccess files that enable execution or access, e.g., `find /path/to/churchcrm/uploads -name '.htaccess' -exec cat {} \;`. 4) Reviewing web server logs for unusual access patterns to uploaded files that could indicate exploitation attempts. These steps can help identify if an attacker has uploaded malicious files exploiting the vulnerability. [1]