CVE-2025-68400
BaseFortify
Publication date: 2025-12-17
Last updated on: 2025-12-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| churchcrm | churchcrm | to 6.5.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL Injection in the legacy endpoint `/Reports/ConfirmReportEmail.php` of ChurchCRM versions prior to 6.5.3. Although the feature was removed from the user interface, the endpoint remains accessible directly via URL. Any authenticated user, even those without assigned permissions, can exploit the SQL injection through the `familyId` parameter, potentially manipulating the database.
How can this vulnerability impact me? :
The vulnerability allows any authenticated user to perform SQL injection attacks, which can lead to unauthorized access, data manipulation, or data leakage within the ChurchCRM system. This can compromise the integrity and confidentiality of the data managed by the system.
What immediate steps should I take to mitigate this vulnerability?
Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the SQL Injection vulnerability in the legacy endpoint `/Reports/ConfirmReportEmail.php`. Additionally, restrict access to the legacy endpoint or remove the file if possible to prevent exploitation by authenticated users.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP requests to the legacy endpoint `/Reports/ConfirmReportEmail.php` with malicious payloads in the `familyId` parameter to test for SQL injection. For example, you can use curl to send a time-based blind SQL injection payload that causes a delay in the server response, such as: curl -i "http://<target-host>/Reports/ConfirmReportEmail.php?familyId=1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20--%20-". If the response is delayed by approximately 5 seconds, it indicates the presence of the vulnerability. This method requires authentication since any authenticated user can exploit it, even with zero assigned permissions. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows any authenticated user to perform SQL injection attacks that can lead to complete database compromise, including reading, writing, and deleting sensitive data. This exposure of sensitive data could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could lead to violations of these standards due to potential data breaches and loss of data integrity and confidentiality. [1]