CVE-2025-67875

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-67875

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67875.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-67875

Aliases

GHSA-fcw7-mmfh-7vjm

Published

2025-12-17T21:16:16.078Z

Modified

2026-03-14T12:46:03.669781Z

Severity

8.5 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

ChurchCRM has stored XSS via Person Property Assignment Leading to Admin Session Hijacking

Details

ChurchCRM is an open-source church management system. A privilege escalation vulnerability exists in ChurchCRM prior to version 6.5.3. An authenticated user with specific mid-level permissions ("Edit Records" and "Manage Properties and Classifications") can inject a persistent Cross-Site Scripting (XSS) payload into an administrator's profile. The payload executes when the administrator views their own profile page, allowing the attacker to hijack the administrator's session, perform administrative actions, and achieve a full account takeover. This vulnerability is a combination of two separate flaws: an Insecure Direct Object Reference (IDOR) that allows any user to view any other user's profile, and a Broken Access Control vulnerability that allows a user with general edit permissions to modify any other user's record properties. Version 6.5.3 fixes the issue.

Database specific

{
    "cwe_ids": [
        "CWE-79"
    ],
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/67xxx/CVE-2025-67875.json"
}

References

Affected packages

Git / github.com/churchcrm/crm

Affected ranges

Type: GIT
Repo: https://github.com/churchcrm/crm
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

472e38155ef4bf5af183c591bcbcdb7969879985

Affected versions

2.*

2.0.0

2.0.1

2.1.0

2.1.1

2.1.10

2.1.11

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.9

2.10.0

2.10.1

2.10.2

2.10.3

2.2.0

2.2.1

2.2.2

2.2.3

2.2.4

2.3.0

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.4.0

2.4.1

2.4.2

2.4.3

2.4.4

2.5.0

2.5.1

2.5.2

2.6.0

2.6.1

2.6.2

2.6.3

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.8.0

2.8.0-RC1

2.8.0-RC2

2.8.1

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.9.0

2.9.0-RC1

2.9.1

2.9.2

2.9.3

2.9.4

3.*

3.0.0

3.0.1

3.0.10

3.0.11

3.0.12

3.0.13

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.8

3.0.9

3.1.0

3.1.1

3.1.2

3.2.0

3.2.1

3.2.2

3.2.3

3.2.4

3.3.0

3.3.1

3.3.2

3.4.0

3.5.0

3.5.1

3.5.2

3.5.3

3.5.4

3.5.5

4.*

4.0.0

4.0.1

4.0.2

4.0.3

4.0.4

4.0.5

4.1.0

4.1.1

4.1.2

4.1.3

4.1.4

4.2.0

4.2.1

4.2.2

4.2.3

4.3.0

4.3.1

4.3.2

4.4.0

4.4.1

4.4.2

4.4.3

4.4.4

4.4.5

4.5.0

4.5.1

4.5.2

4.5.3

4.5.4

5.*

5.0.0

5.0.0-beta1

5.0.0-beta2

5.0.1

5.0.2

5.0.3

5.0.4

5.0.5

5.1.0

5.1.1

5.10.0

5.11.0

5.12.0

5.13.0

5.14.0

5.15.0

5.16.0

5.17.0

5.18.0

5.19.0

5.2.0

5.2.1

5.2.2

5.2.3

5.21.0

5.22.0

5.3.0

5.3.1

5.4.0

5.4.1

5.4.2

5.4.3

5.5.0

5.6.0

5.7.0

5.8.0

5.9.1

5.9.2

5.9.3

6.*

6.0.0

6.0.1

6.0.2

6.1.0

6.2.0

6.3.0

6.4.0

6.5.0

6.5.1

6.5.2

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-67875.json"