CVE-2025-1133 in ChurchCRMinfo

Summary

by MITRE • 02/19/2025

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion.  Please note that this vulnerability requires Administrator privileges.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2025-1133 represents a critical boolean-based blind sql injection flaw within ChurchCRM version 5.13.0 and earlier installations. This security weakness resides in the EditEventAttendees functionality where the EID parameter is directly incorporated into sql queries without adequate input validation or sanitization measures. The vulnerability operates at the application layer and specifically targets the database interaction mechanisms that handle event attendee management within the church management system. The absence of proper parameterized queries or input sanitization creates an exploitable condition where malicious actors can manipulate the sql execution flow through carefully crafted boolean conditions.

The technical exploitation of this vulnerability requires an attacker to possess administrative privileges within the ChurchCRM system, which significantly narrows the attack surface but does not eliminate the severity of the issue. When an attacker with administrative access manipulates the EID parameter, they can construct sql injection payloads that trigger boolean responses from the database. These responses allow the attacker to infer information about the underlying database structure and content through a process of trial and error, where each successful boolean query confirms or denies specific conditions. This blind sql injection technique enables attackers to extract sensitive data, modify database records, or potentially delete critical information within the church management system.

The operational impact of this vulnerability extends beyond simple data compromise, as it represents a complete breakdown in the application's security controls for sql query execution. Organizations utilizing ChurchCRM versions prior to the patched release face significant risks including unauthorized access to sensitive church member information, modification of event attendance records, and potential data destruction that could disrupt church operations. The requirement for administrative privileges does not mitigate the risk, as compromised administrator accounts represent a severe security incident that could lead to complete system compromise. The vulnerability essentially provides a backdoor for attackers to escalate their access and perform unauthorized operations within the system's database layer.

Security mitigations for CVE-2025-1133 should focus on immediate patching of ChurchCRM installations to versions that address the sql injection vulnerability in the EditEventAttendees functionality. Organizations must ensure that all administrative accounts are properly secured through multi-factor authentication and regular credential rotation. The implementation of proper input validation and parameterized queries should be enforced throughout the application codebase to prevent similar vulnerabilities from emerging. Additionally, network segmentation and access controls should be implemented to limit administrative access to only essential personnel. This vulnerability aligns with CWE-89 which specifically addresses sql injection flaws, and represents a clear violation of the principle of least privilege as defined in cybersecurity best practices. The ATT&CK framework would categorize this vulnerability under the T1190 technique for exploiting vulnerabilities in applications, and the T1078 technique for valid accounts usage when administrative credentials are compromised. Organizations should conduct comprehensive security audits to identify any other instances of improper sql query construction within their ChurchCRM installations and similar applications to prevent future exploitation attempts.

Responsible

Gridware

Reservation

02/08/2025

Disclosure

02/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00583

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!