ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.
The ChurchCRM application, in case of a database-related error, returns a detailed error message containing sensitive configuration information. This message may contain data such as the host address, database server IP address, username, and password. This is a typical case of CWE-209 vulnerability (generation of error message containing sensitive information) and CWE-200 (exposure of sensitive information to an unauthorized actor). An attacker with access to a user account can trigger the appropriate error and read this data from the application's response.
An attacker can obtain database login credentials (host, IP, username, password), which in practice means the possibility of direct access to the database containing all data of the religious organization — including personal data of parishioners, financial and administrative data. Database takeover can lead to reading, modifying, or deleting data.
ChurchCRM should be updated to version 6.5.3 or newer, which contains a fix that eliminates the disclosure of database connection data in error messages. Details are available in the vendor's references on GitHub.
ChurchCRM (parish management system) in all versions earlier than 6.5.3.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HChurchcrm
APPChurchcrm< 6.5.3
Related vulnerabilities
ChurchCRM — krytyczny auth bypass w API middleware
SQL Injection w ChurchCRM przez parametr searchwhat (QueryView.php)
ChurchCRM: Path Traversal i RCE przez funkcję przywracania kopii zapasowej
ChurchCRM: pre-auth RCE przez wstrzyknięcie kodu PHP w kreatorze instalacji
SQL Injection w ChurchCRM — kompromitacja bazy danych