CRITICAL🇵🇱 Wersja polska

CVE-2025-68110

CVSS 9.9v3.1pub. 2025-12-17upd. 2025-12-18

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

🤖 AI Analysis
How it works

The ChurchCRM application, in case of a database-related error, returns a detailed error message containing sensitive configuration information. This message may contain data such as the host address, database server IP address, username, and password. This is a typical case of CWE-209 vulnerability (generation of error message containing sensitive information) and CWE-200 (exposure of sensitive information to an unauthorized actor). An attacker with access to a user account can trigger the appropriate error and read this data from the application's response.

Impact

An attacker can obtain database login credentials (host, IP, username, password), which in practice means the possibility of direct access to the database containing all data of the religious organization — including personal data of parishioners, financial and administrative data. Database takeover can lead to reading, modifying, or deleting data.

Mitigation & patch

ChurchCRM should be updated to version 6.5.3 or newer, which contains a fix that eliminates the disclosure of database connection data in error messages. Details are available in the vendor's references on GitHub.

Who is affected

ChurchCRM (parish management system) in all versions earlier than 6.5.3.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Churchcrm

    APP
    Churchcrm
    < 6.5.3
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-39339CRITICAL9.1PL ✓ten sam produkt

ChurchCRM — krytyczny auth bypass w API middleware

CVE-2026-39342CRITICAL9.4PL ✓ten sam produkt

SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)

CVE-2026-35573CRITICAL9.1PL ✓ten sam produkt

ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej

CVE-2026-39337CRITICAL10.0PL ✓ten sam produkt

ChurchCRM: pre-auth RCE przez wstrzyknięcie kodu PHP w kreatorze instalacji

CVE-2025-68112CRITICAL9.6PL ✓ten sam produkt

SQL Injection w ChurchCRM — kompromitacja bazy danych