CVE-2025-1135

Summary

A vulnerability exists in ChurchCRM 5.1.0 through 5.1.1 (inclusive) that allows an authenticated attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note the vulnerability requires Administrator privileges.

Severity

  • Base Score: 9.8
  • Exploitability Score: 3.9
  • Impact Score: 5.9
  • Exploitable: Yes

Details

CVE-2025-1135 details a critical SQL Injection vulnerability within the ChurchCRM application, specifically affecting versions 5.1.0 and 5.1.1. The vulnerability resides within the BatchWinnerEntry functionality and stems from inadequate sanitization of the CurrentFundraiser parameter. An authenticated attacker possessing administrative privileges can exploit this flaw by injecting malicious SQL code through this parameter. Due to the unsanitized parameter being directly incorporated into an SQL query, the attacker can manipulate the database to execute arbitrary SQL commands. The impact of successful exploitation could be severe, including unauthorized data access, modification, or deletion. The exploitability is relatively high, requiring only authentication and the ability to craft a malicious SQL injection payload within the CurrentFundraiser parameter.

Remediation

To mitigate the risk posed by CVE-2025-1135, the following remediation steps are recommended:

  1. Upgrade ChurchCRM: Upgrade to ChurchCRM version 5.2.0 or later. This version contains a patch addressing the SQL injection vulnerability in the BatchWinnerEntry functionality. Check the official ChurchCRM website for the latest version and update instructions.

  2. Input Sanitization: Implement robust input sanitization and validation for all user-supplied data, especially the CurrentFundraiser parameter in the BatchWinnerEntry functionality. Use parameterized queries or prepared statements to prevent SQL injection attacks. Ensure all special characters are properly escaped before being included in any SQL queries.

  3. Least Privilege: Ensure that database users have only the necessary privileges to perform their intended tasks. Revoke any unnecessary privileges to reduce the potential impact of a successful SQL injection attack. Limit administrative access to only those who need it.

  4. Web Application Firewall (WAF): Consider deploying a Web Application Firewall (WAF) with rulesets designed to detect and block SQL injection attacks. A WAF can provide an additional layer of defense by analyzing incoming requests and filtering out malicious payloads.

  5. Regular Security Audits: Conduct regular security audits of ChurchCRM to identify and address any potential vulnerabilities. This includes reviewing the codebase, configuration settings, and access controls.

  6. Monitor Database Activity: Implement monitoring and logging of database activity to detect any suspicious or unauthorized access attempts. Analyze logs regularly to identify potential security incidents.

Assigner

  • Name: Gridware
  • Email: b7efe717-a805-47cf-8e9a-921fca0ce0ce

Date

  • Published Date: 2025-02-19 09:15:11
  • Updated Date: 2025-02-19 09:15:11

More Details

CVE-2025-1135