CVE-2025-67877
7.4
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Summary
ChurchCRM is an open-source church management system. Versions prior to 6.5.3 have a SQL injection vulnerability in the src/CartToFamily.php file, specifically in how the PersonAddress POST parameter is handled. Unlike other parameters in the same file which are correctly cast to integers using the InputUtils class, the PersonAddress parameter is missing the type definition. This allows an attacker to inject arbitrary SQL commands directly into the query. Version 6.5.3 fixes the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| ChurchCRM | CRM | < 6.5.3 | affected |
Weaknesses
- CWE-89: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: total
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.