← Back

CVE-2025-67874

nvd nist
Published: Dec 16, 2025Modified: Dec 17, 2025

JSON object

Loading...
6.9
Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Show more
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less
Source: security-advisories@github.com (Secondary)

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

Affected (1)

Products: Churchcrm: Churchcrm
Churchcrm
1 product
Churchcrm
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Churchcrm
Before 6.5.0

Related CWEs

CWE-204
Observable Response Discrepancy
The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere.

References (2)

Source: security-advisories@github.com
Patch
Source: security-advisories@github.com
ExploitVendor Advisory

Timeline

No history available yet.