CVE-2025-67874

EUVD-2025-203487
ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
6.5 MEDIUM
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 11%
Affected Products (NVD)
VendorProductVersion
churchcrmchurchcrm
𝑥
< 6.5.0
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fd
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6x