CVE-2025-66313

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-66313

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66313.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-66313

Aliases

GHSA-47q3-c874-mqvp

Published

2025-12-01T22:13:20.167Z

Modified

2026-04-02T13:01:13.238777Z

Severity

5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

ChurchCRM vulnerable to a time-based blind SQL injection via the 1FieldSec parameter

Details

ChurchCRM is an open-source church management system. In ChurchCRM 6.2.0 and earlier, there is a time-based blind SQL injection in the handling of the 1FieldSec parameter. Injecting SLEEP() causes deterministic server-side delays, proving the value is incorporated into a SQL query without proper parameterization. The issue allows data exfiltration and modification via blind techniques.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66313.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}

References

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type: GIT
Repo: https://github.com/churchcrm/crm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

719a6bc73245c40e3c30dae6229daaecd451e59f

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.9

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.0-RC1

2.8.0-RC2

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.0-RC1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

5.*

5.0.0

5.0.0-beta1

5.0.0-beta2

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.1

5.10.0

5.11.0

5.12.0

5.13.0

5.14.0

5.15.0

5.16.0

5.17.0

5.18.0

5.19.0

5.2.0

5.2.1

5.2.2

5.2.3

5.21.0

5.22.0

5.22.1

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.6.0

5.7.0

5.8.0

5.9.1

5.9.2

5.9.3

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66313.json"