CVE-2025-1135
Published: 19 February 2025
Description
Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources.
Security Summary
CVE-2025-1135 is a boolean-based and time-based blind SQL injection vulnerability affecting ChurchCRM versions 5.13.0 and prior. The flaw resides in the BatchWinnerEntry functionality, where the CurrentFundraiser parameter is directly concatenated into an SQL query without sufficient sanitization. This allows attackers to manipulate database queries and execute arbitrary SQL commands. The vulnerability is classified under CWE-89 with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H).
Exploitation requires administrator privileges, enabling a high-privilege network attacker with low complexity to achieve high impacts on confidentiality, integrity, and availability. A successful attack can result in arbitrary SQL query execution, potentially leading to complete data exfiltration, modification, or deletion from the database.
The vulnerability is documented in ChurchCRM's GitHub repository at https://github.com/ChurchCRM/CRM/issues/7254.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
SQL injection vulnerability in web application enables exploitation of public-facing app (T1190), database data collection (T1213.006), stored data manipulation (T1565.001), and data destruction via arbitrary SQL queries (T1485).