CVE-2025-1134 in ChurchCRMinfo

Summary

by MITRE • 02/19/2025

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the DonatedItemEditor functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note that this vulnerability requires Administrator privileges.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 02/19/2025

The vulnerability identified as CVE-2025-1134 represents a critical security flaw within ChurchCRM version 5.13.0 and earlier releases, specifically targeting the DonatedItemEditor functionality. This issue manifests as a boolean-based and time-based blind SQL injection vulnerability that fundamentally compromises the integrity of the application's database layer. The vulnerability stems from insufficient input validation and sanitization practices within the codebase, where the CurrentFundraiser parameter is directly concatenated into SQL queries without proper escaping or parameterization mechanisms. Such implementation flaws create an exploitable attack surface that allows malicious actors to manipulate the underlying database operations through carefully crafted input sequences.

The technical exploitation of this vulnerability requires an attacker to possess administrator privileges, which significantly reduces the attack surface but does not eliminate the severity of the issue. The boolean-based and time-based blind injection techniques enable attackers to infer database contents through response timing variations and logical outcomes, making the vulnerability particularly dangerous as it allows for systematic data exfiltration without immediate detection. The concatenation of user-supplied parameters directly into SQL statements violates fundamental security principles and creates opportunities for attackers to execute arbitrary database commands, potentially leading to unauthorized data access, modification, or complete database destruction. This vulnerability directly maps to CWE-89, which categorizes improper neutralization of special elements used in SQL commands, and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation.

The operational impact of CVE-2025-1134 extends beyond simple data compromise, as it provides attackers with the capability to manipulate the entire fundraising database system within ChurchCRM. Successful exploitation could result in unauthorized modifications to donation records, fundraising campaign data, and potentially sensitive donor information stored within the system. The vulnerability's requirement for administrator privileges means that attackers who have already gained administrative access could leverage this flaw to establish persistent backdoors or escalate their privileges further within the system. Organizations using ChurchCRM versions prior to 5.13.1 should immediately implement mitigation strategies including input validation, parameterized queries, and comprehensive code reviews to address this critical vulnerability. The remediation approach should focus on implementing proper database query parameterization techniques and ensuring that all user inputs are rigorously validated before being processed by the application's database layer.

Responsible

Gridware

Reservation

02/08/2025

Disclosure

02/19/2025

Moderation

accepted

CPE

ready

EPSS

0.00683

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!