CVE-2025-68109

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

CVSS v3 9.1 CRITICAL

9.1^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.3 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-12-17 22:16

Updated : 2025-12-18 18:30

NVD link : CVE-2025-68109

Mitre link : CVE-2025-68109

CVE.ORG link : CVE-2025-68109

JSON object : View

Products Affected

churchcrm

churchcrm

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-494

Download of Code Without Integrity Check

CWE-552

Files or Directories Accessible to External Parties

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

{"id": "CVE-2025-68109", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 2.3}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.2}]}, "published": "2025-12-17T22:16:00.750", "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-434"}, {"lang": "en", "value": "CWE-494"}, {"lang": "en", "value": "CWE-552"}, {"lang": "en", "value": "CWE-915"}]}], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue."}], "lastModified": "2025-12-18T18:30:07.923", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD", "versionEndExcluding": "6.5.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}