Cyber Posture

CVE-2025-1132

HighPublic PoC

Published: 19 February 2025

Published
19 February 2025
Modified
25 February 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0012 31.2th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Adversaries may leverage databases to mine valuable information.

Security Summary

CVE-2025-1132 is a time-based blind SQL injection vulnerability (CWE-89) in ChurchCRM versions 5.13.0 and prior. The flaw exists in the EditEventAttendees.php component, where the EN_tyid parameter is directly inserted into an SQL query without proper sanitization. This allows injection of malicious SQL commands. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Exploitation requires administrator permissions. A malicious actor with admin access can supply crafted input via the EN_tyid parameter to introduce SQL payloads that delay database responses, enabling detection of the vulnerability through timing analysis. As a time-based blind injection, it permits attackers to infer underlying database details and, through further exploitation, potentially retrieve sensitive data.

Mitigation details are available in the GitHub issue at https://github.com/ChurchCRM/CRM/issues/7251.

Details

CWE(s)
CWE-89

Affected Products

churchcrm
churchcrm
≤ 5.13.0

MITRE ATT&CK Enterprise Techniques

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

The time-based blind SQL injection vulnerability in the ChurchCRM web application enables exploitation of a public-facing application (T1190) and facilitates collection of sensitive data from databases (T1213.006).

References