8.3

CVE-2025-66397

Exploit

EPSS 0.25%
Veröffentlicht 17.12.2025 19:12:41
Zuletzt bearbeitet 18.12.2025 19:07:25
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control

ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Churchcrm ≫ Churchcrm Version < 6.5.3

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.25%	0.164

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.3	2.8	5.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

CWE-284 Improper Access Control

The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-66397

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-66397

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-66397

EUVD