CVE-2025-68109

CVE-2025-68109 affects ChurchCRM, an open-source church management system, in versions prior to 6.5.3. The vulnerability resides in the Database Restore functionality, which fails to validate the content or file extension of uploaded files. This flaw enables attackers to upload malicious files, such as a web shell, and a supporting .htaccess file to bypass restrictions and gain direct access, ultimately leading to remote code execution (RCE) on the server. The issue is rated with a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H) and is associated with CWEs including CWE-78 (OS Command Injection), CWE-434 (Unrestricted Upload), CWE-494 (Download of Code Without Integrity Check), CWE-552 (Files or Directories Accessible to External Parties), and CWE-915 (Improperly Controlled Modification of Dynamically-Determined Object Attributes).

Exploitation requires high privileges (PR:H), such as administrative access within the ChurchCRM application, accessible over the network with low complexity and no user interaction. A privileged attacker can leverage the Database Restore feature to upload a web shell file, followed by a .htaccess file to enable its execution via direct web access. Successful exploitation grants RCE, allowing full compromise of the server with high confidentiality, integrity, and availability impacts, particularly due to the changed scope (S:C).

The GitHub Security Advisory (GHSA-pqm7-g8px-9r77) confirms that ChurchCRM version 6.5.3 addresses the vulnerability by implementing proper validation of uploaded files in the Database Restore functionality. Security practitioners should upgrade to version 6.5.3 or later and review access controls for privileged users.