CVE-2025-67874
6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Summary
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ChurchCRM | CRM | < 6.5.0 | affected |
Weaknesses
- CWE-204: CWE-204: Observable Response Discrepancy
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
References
- https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x
- https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.