Home

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

PUBLISHED Reserved 2025-12-12 | Published 2025-12-16 | Updated 2025-12-16 | Assigner GitHub_M




MEDIUM: 6.9CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-204: Observable Response Discrepancy

Product status

< 6.5.0
affected

References

github.com/...RM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x

github.com/...ommit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd

cve.org (CVE-2025-67874)

nvd.nist.gov (CVE-2025-67874)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.