Home

Description

ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.

PUBLISHED Reserved 2025-12-15 | Published 2025-12-17 | Updated 2025-12-18 | Assigner GitHub_M




CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Problem types

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-434: Unrestricted Upload of File with Dangerous Type

CWE-494: Download of Code Without Integrity Check

CWE-552: Files or Directories Accessible to External Parties

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

Product status

< 6.5.3
affected

References

github.com/...RM/CRM/security/advisories/GHSA-pqm7-g8px-9r77

cve.org (CVE-2025-68109)

nvd.nist.gov (CVE-2025-68109)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.