CVE-2025-68400
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-17

Last updated on: 2025-12-18

Assigner: GitHub, Inc.

Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the `familyId` parameter. Version 6.5.3 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-14
NVD
CVE-2025-68400
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
churchcrm churchcrm to 6.5.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection in the legacy endpoint `/Reports/ConfirmReportEmail.php` of ChurchCRM versions prior to 6.5.3. Although the feature was removed from the user interface, the endpoint remains accessible directly via URL. Any authenticated user, even those without assigned permissions, can exploit the SQL injection through the `familyId` parameter, potentially manipulating the database.

Impact Analysis

The vulnerability allows any authenticated user to perform SQL injection attacks, which can lead to unauthorized access, data manipulation, or data leakage within the ChurchCRM system. This can compromise the integrity and confidentiality of the data managed by the system.

Mitigation Strategies

Upgrade ChurchCRM to version 6.5.3 or later, as this version fixes the SQL Injection vulnerability in the legacy endpoint `/Reports/ConfirmReportEmail.php`. Additionally, restrict access to the legacy endpoint or remove the file if possible to prevent exploitation by authenticated users.

Detection Guidance

This vulnerability can be detected by sending specially crafted HTTP requests to the legacy endpoint `/Reports/ConfirmReportEmail.php` with malicious payloads in the `familyId` parameter to test for SQL injection. For example, you can use curl to send a time-based blind SQL injection payload that causes a delay in the server response, such as: curl -i "http://<target-host>/Reports/ConfirmReportEmail.php?familyId=1)%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)%20--%20-". If the response is delayed by approximately 5 seconds, it indicates the presence of the vulnerability. This method requires authentication since any authenticated user can exploit it, even with zero assigned permissions. [1]

Compliance Impact

The vulnerability allows any authenticated user to perform SQL injection attacks that can lead to complete database compromise, including reading, writing, and deleting sensitive data. This exposure of sensitive data could result in non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could lead to violations of these standards due to potential data breaches and loss of data integrity and confidentiality. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68400. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart