CVE-2025-67874

Medium CVSS: 6.9

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

Vendor

Churchcrm

Product

Churchcrm

CWE

CWE-204

Yayın Tarihi

2025-12-16 01:15:53

Güncelleme

2025-12-17 14:14:08

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-204 Churchcrm MEDIUM Churchcrm 2025

Referanslar

https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

Benzer Kayıtlar

Medium

CVE-2026-32880

ChurchCRM is an open-source church management system. Versions prior to 7.0.2 allow an admin user to edit JSON type syst…

Low

CVE-2026-26059

ChurchCRM is an open-source church management system. In versions prior to 6.8.2, it was possible for an authenticated u…

High

CVE-2026-24854

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor…

High

CVE-2026-24855

ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) v…

Low

CVE-2025-68399

ChurchCRM is an open-source church management system. In versions prior to 6.5.4, there is a Stored Cross-Site Scripting…

Critical

CVE-2025-68400

ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Repo…