CVE-2025-68111
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated user with finance privileges to perform SQL injection attacks, potentially leading to unauthorized access, modification, or deletion of sensitive data within the database. Such unauthorized data access and manipulation can result in violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and ensuring data integrity. Therefore, the presence of this vulnerability could lead to non-compliance with these common standards and regulations. [1]
Can you explain this vulnerability to me?
This vulnerability is a SQL injection in ChurchCRM versions prior to 6.5.3, specifically in the 'ReImport' functionality within the eGive.php file. An authenticated user with finance privileges can manipulate the 'MissingEgive_FamID_...' POST parameter to execute arbitrary SQL queries on the database.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access, modification, or deletion of data within the ChurchCRM database, potentially compromising sensitive financial and personal information.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ChurchCRM to version 6.5.3 or later, as this version contains the patch that fixes the SQL injection vulnerability in the eGive.php file. Additionally, restrict finance privileges to trusted users only and monitor for any unusual database activity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting a time-based blind SQL injection on the POST parameter MissingEgive_FamID_... during the ReImport functionality in ChurchCRM. For example, an authenticated user with finance privileges can submit a POST request with a payload like: 1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1. If the server response is delayed by approximately 5 seconds, it indicates a successful SQL injection. To test this, you can use tools like curl or Burp Suite to craft and send the POST request with the manipulated parameter. Example curl command: curl -X POST -d "MissingEgive_FamID_test=1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a) AND '1'='1" https://yourchurchcrm.example.com/path/to/ReImport -b cookies.txt (where cookies.txt contains authenticated session cookies). Monitoring response times for delays can help detect the vulnerability. [1]