CVE-2025-1134
Published: 19 February 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-1134 is a boolean-based and time-based blind SQL injection vulnerability (CWE-89) in ChurchCRM versions 5.13.0 and prior. The flaw exists in the DonatedItemEditor functionality, where the CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization. This allows attackers to execute arbitrary SQL queries, with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
The vulnerability requires administrator privileges for exploitation. An attacker with admin access can leverage the issue over the network with low attack complexity and no user interaction, manipulating database queries to achieve high impacts on confidentiality, integrity, and availability, such as data exfiltration, modification, or deletion.
Mitigation details are available in the GitHub issue at https://github.com/ChurchCRM/CRM/issues/7253.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The blind SQL injection vulnerability enables arbitrary SQL query execution on the database, facilitating data collection from databases (T1213.006), manipulation of stored data (T1565.001), and data destruction via deletion (T1485).