CVE-2025-1135

Source
https://cve.org/CVERecord?id=CVE-2025-1135
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1135.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-1135
Published
2025-02-19T09:01:59.048Z
Modified
2026-07-08T08:10:14.109914201Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/AU:Y/R:U/V:C/RE:H/U:Red CVSS Calculator
Summary
SQL Injection in ChurchCRM CurrentFundraiser Parameter via BatchWinnerEntry.php
Details

A vulnerability exists in ChurchCRM 5.13.0. and prior that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based and time-based blind SQL Injection vulnerability in the BatchWinnerEntry functionality. The CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion. Please note the vulnerability requires Administrator privileges.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/1xxx/CVE-2025-1135.json",
    "cwe_ids": [
        "CWE-89"
    ],
    "cna_assigner": "Gridware"
}
References

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type
GIT
Repo
https://github.com/churchcrm/crm
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "ChurchCRM 5.13.0 and prior"
        },
        {
            "last_affected": "ChurchCRM 5.13.0 and prior"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "5.13.0"
        }
    ]
}

Affected versions

5.*
5.13.0
ChurchCRM 5.*
ChurchCRM 5.13.0 and prior

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1135.json"