Description

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application's data. Version 6.5.3 fixes the issue.

INFO

Published Date :

2025-12-17T19:04:44.906Z

Last Modified :

2025-12-17T19:28:51.908Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-66395 vulnerability.

Vendors Products
Churchcrm
  • Churchcrm
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-66395.

URL Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact