CVE-2025-67874

Exploit

EPSS 0.04%
Veröffentlicht 16.12.2025 00:44:43
Zuletzt bearbeitet 17.12.2025 14:14:08
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Churchcrm ≫ Churchcrm Version < 6.5.0

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.136

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	6.5	2.8	3.6	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
security-advisories@github.com	6.9	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-204 Observable Response Discrepancy

The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd

Patch

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

Vendor Advisory

Exploit

https://nvd.nist.gov/vuln/detail/CVE-2025-67874

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-67874

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-67874

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-67874