Description
ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in the legacy endpoint `/Reports/ConfirmReportEmail.php` in ChurchCRM prior to version 6.5.3. Although the feature was removed from the UI, the file remains deployed and reachable directly via URL. This is a classic case of *dead but reachable code*. Any authenticated user - including one with zero assigned permissions - can exploit SQL injection through the `familyId` parameter. Version 6.5.3 fixes the issue.
EPSS Score:
0%
Comprehensive Technical Analysis of EUVD-2025-204001
1. Vulnerability Assessment and Severity Evaluation
The vulnerability EUVD-2025-204001 pertains to a SQL Injection flaw in the ChurchCRM open-source church management system. This vulnerability is present in the legacy endpoint /Reports/ConfirmReportEmail.php in versions prior to 6.5.3. The issue arises from the presence of dead but reachable code, which can be directly accessed via URL despite being removed from the user interface.
Severity Evaluation:
- Base Score: 9.3
- Base Score Version: 4.0
- Base Score Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
The high base score of 9.3 indicates a critical vulnerability. The CVSS vector highlights that the attack vector is network-based (AV:N), requires low complexity (AC:L), and does not need any special privileges (PR:N) or user interaction (UI:N). The impact on confidentiality, integrity, and availability is high (VC:H, VI:H, VA:H).
2. Potential Attack Vectors and Exploitation Methods
Attack Vectors:
- Direct URL Access: An attacker can directly access the vulnerable endpoint
/Reports/ConfirmReportEmail.phpby crafting a URL with thefamilyIdparameter. - Authenticated User Exploitation: Any authenticated user, regardless of their permissions, can exploit this vulnerability.
Exploitation Methods:
- SQL Injection: By manipulating the
familyIdparameter, an attacker can inject malicious SQL code. This can lead to unauthorized data access, data manipulation, or even complete database compromise. - Data Exfiltration: Attackers can extract sensitive information from the database, including personal data of church members.
- Data Integrity Compromise: Attackers can modify database entries, leading to data integrity issues.
3. Affected Systems and Software Versions
Affected Systems:
- ChurchCRM versions prior to 6.5.3.
Software Versions:
- All versions of ChurchCRM before 6.5.3 are vulnerable. The issue is fixed in version 6.5.3.
4. Recommended Mitigation Strategies
Immediate Mitigation:
- Upgrade to Version 6.5.3: Organizations using ChurchCRM should immediately upgrade to version 6.5.3 or later to mitigate this vulnerability.
- Remove Legacy Endpoints: Ensure that all legacy endpoints are removed or properly secured to prevent direct access.
Long-Term Mitigation:
- Regular Security Audits: Conduct regular security audits to identify and remove dead but reachable code.
- Input Validation: Implement robust input validation and sanitization mechanisms to prevent SQL injection attacks.
- Least Privilege Principle: Enforce the principle of least privilege to minimize the impact of potential exploits.
5. Impact on European Cybersecurity Landscape
The vulnerability in ChurchCRM poses a significant risk to European organizations, particularly those involved in church management and related activities. Given the sensitive nature of the data handled by such systems, a successful exploit could lead to severe data breaches, compromising the personal information of church members. This underscores the importance of timely patching and regular security assessments to protect against such vulnerabilities.
6. Technical Details for Security Professionals
Vulnerability Details:
- Endpoint:
/Reports/ConfirmReportEmail.php - Parameter:
familyId - Exploit Method: SQL Injection via manipulation of the
familyIdparameter.
Example Exploit:
/Reports/ConfirmReportEmail.php?familyId=1' OR '1'='1
This example demonstrates a simple SQL injection attempt where the familyId parameter is manipulated to always return true, potentially allowing unauthorized access to data.
Detection and Monitoring:
- Log Analysis: Monitor access logs for unusual activity related to the
/Reports/ConfirmReportEmail.phpendpoint. - Intrusion Detection Systems (IDS): Implement IDS to detect and alert on suspicious SQL injection attempts.
Patching and Updates:
- Patch Management: Ensure that all instances of ChurchCRM are updated to version 6.5.3 or later.
- Code Review: Conduct thorough code reviews to identify and remove any other instances of dead but reachable code.
References:
By addressing this vulnerability promptly and implementing robust security measures, organizations can significantly reduce the risk of data breaches and ensure the integrity and confidentiality of their systems.