CVE-2025-1023 Scanner
CVE-2025-1023 Scanner - SQL Injection vulnerability in ChurchCRM
Short Info
Level
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
16 days 3 hours
Scan only one
Domain, Subdomain, IPv4
Toolbox
ChurchCRM is an open-source management software used primarily in churches and religious organizations to handle member information, event scheduling, and donations. Widely adopted by both small and large communities, it aids in streamlining various administrative tasks. ChurchCRM offers features like contribution tracking, Sunday school management, and member directory assistance. It is typically deployed on web servers accessible over the internet, providing convenience in managing church data remotely. Given its integration capabilities, it helps in maintaining a real-time record of all church-related activities.
SQL Injection is a critical vulnerability that allows attackers to execute arbitrary SQL queries on a database. In the case of ChurchCRM, the vulnerability exists within the EditEventTypes functionality. The newCountName parameter is improperly sanitized, leaving it susceptible to manipulation. An attacker can exploit this to execute commands on the underlying database, potentially leading to data modification or exfiltration. The primary risk lies in unauthorized access and control over sensitive church data.
The vulnerability is particularly centered around the EditEventTypes.php endpoint in the ChurchCRM application. Attackers manipulate the newCountName parameter in SQL queries through unsanitized user input. By injecting a payload into this parameter, attackers can execute commands that trigger time-based actions, confirmed by changes in response times. The application's reliance on direct concatenation in SQL statements without sanitation opens it up to this SQL Injection risk.
Exploiting this vulnerability gives attackers the capability to access and modify sensitive data, which can include church member information and financial records. Data exfiltration can lead to privacy breaches affecting church members, and falsified data entries could disrupt administrative operations. Long-term exploitation might result in data deletion or even entire database compromise, severely impacting church operations.
REFERENCES
