VDB-329014 · CVE-2025-11938 · EUVD-2025-35002

ChurchCRM ଯେପର୍ଯ୍ୟନ୍ତ 5.18.0 setup/routes/setup.php DB_PASSWORD/ROOT_PATH/URL ବିସ୍ତାରିତ ଅଧିକାର

Dogoggorri kan akka ଜଟିଳ jedhamuun ramadame ChurchCRM ଯେପର୍ଯ୍ୟନ୍ତ 5.18.0 keessatti argameera. Miidhaan irra gahe is hojii hin beekamne faayilii setup/routes/setup.php keessa. Dhugumatti jijjiirraa irratti raawwatame DB_PASSWORD/ROOT_PATH/URL gara ବିସ୍ତାରିତ ଅଧିକାର geessa. Waliigalteewwan CWE fayyadamuun rakkoo ibsuun gara CWE-502 si geessa. Beekumsi kun yeroo 10/18/2025 ifoomsifameera. Odeeffannoon kun buufachuuf github.com irratti dhiyaateera. Dogoggorri kun maqaa CVE-2025-11938 jedhuun tajaajilama. Weerara fageenya irraa jalqabuun ni danda'ama. Odeeffannoon teeknikaa ni argama. Akka dabalataan, meeshaa balaa kana fayyadamuuf argama. Qorannoo miidhaa (exploit) beeksifamee jira, namoonni itti fayyadamuu danda'u. Yeroo ammaa, gatii exploit might be approx. USD $0-$5k beekamuu danda'a. ପ୍ରୁଫ୍-ଅଫ୍-କନ୍ସେପ୍ଟ jedhamee murtaa’eera. Exploit kana github.com irraa buufachuu ni dandeessa. Waggaa 0-day ta'ee, gatiin isaa daldala dhoksaa keessatti $0-$5k jedhamee tilmaamame. Once again VulDB remains the best source for vulnerability data.

5 ଆଡାପ୍ଟେସନ୍ · 103 ପଏଣ୍ଟ

ଫିଲ୍ଡ	ସୃଷ୍ଟି ହୋଇଛି 10/18/2025 02:59 PM	ଅଦ୍ୟତନ 1/4 10/19/2025 10:38 AM	ଅଦ୍ୟତନ 2/4 10/19/2025 12:42 PM	ଅଦ୍ୟତନ 3/4 10/20/2025 08:42 PM	ଅଦ୍ୟତନ 4/4 10/27/2025 03:31 PM
software_name	ChurchCRM	ChurchCRM	ChurchCRM	ChurchCRM	ChurchCRM
software_version	<=5.18.0	<=5.18.0	<=5.18.0	<=5.18.0	<=5.18.0
software_file	setup/routes/setup.php	setup/routes/setup.php	setup/routes/setup.php	setup/routes/setup.php	setup/routes/setup.php
software_argument	DB_PASSWORD/ROOT_PATH/URL	DB_PASSWORD/ROOT_PATH/URL	DB_PASSWORD/ROOT_PATH/URL	DB_PASSWORD/ROOT_PATH/URL	DB_PASSWORD/ROOT_PATH/URL
vulnerability_cwe	CWE-502 (ବିସ୍ତାରିତ ଅଧିକାର)	CWE-502 (ବିସ୍ତାରିତ ଅଧିକାର)	CWE-502 (ବିସ୍ତାରିତ ଅଧିକାର)	CWE-502 (ବିସ୍ତାରିତ ଅଧିକାର)	CWE-502 (ବିସ୍ତାରିତ ଅଧିକାର)
vulnerability_risk	2	2	2	2	2
cvss3_vuldb_av	N	N	N	N	N
cvss3_vuldb_ac	H	H	H	H	H
cvss3_vuldb_pr	N	N	N	N	N
cvss3_vuldb_ui	N	N	N	N	N
cvss3_vuldb_s	U	U	U	U	U
cvss3_vuldb_c	L	L	L	L	L
cvss3_vuldb_i	L	L	L	L	L
cvss3_vuldb_a	L	L	L	L	L
cvss3_vuldb_e	P	P	P	P	P
cvss3_vuldb_rc	R	R	R	R	R
advisory_url	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md
exploit_availability	1	1	1	1	1
exploit_publicity	1	1	1	1	1
exploit_url	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md	https://github.com/uartu0/advisories/blob/main/churchcrm-setup-rce-2025.md
source_cve	CVE-2025-11938	CVE-2025-11938	CVE-2025-11938	CVE-2025-11938	CVE-2025-11938
cna_responsible	VulDB	VulDB	VulDB	VulDB	VulDB
response_summary	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.	The vendor was contacted early about this disclosure but did not respond in any way.
cvss2_vuldb_av	N	N	N	N	N
cvss2_vuldb_ac	H	H	H	H	H
cvss2_vuldb_au	N	N	N	N	N
cvss2_vuldb_ci	P	P	P	P	P
cvss2_vuldb_ii	P	P	P	P	P
cvss2_vuldb_ai	P	P	P	P	P
cvss2_vuldb_e	POC	POC	POC	POC	POC
cvss2_vuldb_rc	UR	UR	UR	UR	UR
cvss4_vuldb_av	N	N	N	N	N
cvss4_vuldb_ac	H	H	H	H	H
cvss4_vuldb_pr	N	N	N	N	N
cvss4_vuldb_ui	N	N	N	N	N
cvss4_vuldb_vc	L	L	L	L	L
cvss4_vuldb_vi	L	L	L	L	L
cvss4_vuldb_va	L	L	L	L	L
cvss4_vuldb_e	P	P	P	P	P
cvss2_vuldb_rl	ND	ND	ND	ND	ND
cvss3_vuldb_rl	X	X	X	X	X
cvss4_vuldb_at	N	N	N	N	N
cvss4_vuldb_sc	N	N	N	N	N
cvss4_vuldb_si	N	N	N	N	N
cvss4_vuldb_sa	N	N	N	N	N
cvss2_vuldb_basescore	5.1	5.1	5.1	5.1	5.1
cvss2_vuldb_tempscore	4.4	4.4	4.4	4.4	4.4
cvss3_vuldb_basescore	5.6	5.6	5.6	5.6	5.6
cvss3_vuldb_tempscore	5.1	5.1	5.1	5.1	5.1
cvss3_meta_basescore	5.6	5.6	5.6	5.6	6.4
cvss3_meta_tempscore	5.1	5.1	5.3	5.3	6.3
cvss4_vuldb_bscore	6.3	6.3	6.3	6.3	6.3
cvss4_vuldb_btscore	2.9	2.9	2.9	2.9	2.9
advisory_date	1760738400 (10/18/2025)	1760738400 (10/18/2025)	1760738400 (10/18/2025)	1760738400 (10/18/2025)	1760738400 (10/18/2025)
price_0day	$0-$5k	$0-$5k	$0-$5k	$0-$5k	$0-$5k
euvd_id		EUVD-2025-35002	EUVD-2025-35002	EUVD-2025-35002	EUVD-2025-35002
cve_nvd_summary			A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.	A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.	A vulnerability was found in ChurchCRM up to 5.18.0. This vulnerability affects unknown code of the file setup/routes/setup.php. Performing manipulation of the argument DB_PASSWORD/ROOT_PATH/URL results in deserialization. The attack may be initiated remotely. The attack's complexity is rated as high. It is stated that the exploitability is difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
cvss4_cna_av			N	N	N
cvss4_cna_ac			H	H	H
cvss4_cna_at			N	N	N
cvss4_cna_pr			N	N	N
cvss4_cna_ui			N	N	N
cvss4_cna_vc			L	L	L
cvss4_cna_vi			L	L	L
cvss4_cna_va			L	L	L
cvss4_cna_sc			N	N	N
cvss4_cna_si			N	N	N
cvss4_cna_sa			N	N	N
cvss4_cna_bscore			6.3	6.3	6.3
cvss3_cna_av			N	N	N
cvss3_cna_ac			H	H	H
cvss3_cna_pr			N	N	N
cvss3_cna_ui			N	N	N
cvss3_cna_s			U	U	U
cvss3_cna_c			L	L	L
cvss3_cna_i			L	L	L
cvss3_cna_a			L	L	L
cvss3_cna_basescore			5.6	5.6	5.6
cvss2_cna_av			N	N	N
cvss2_cna_ac			H	H	H
cvss2_cna_au			N	N	N
cvss2_cna_ci			P	P	P
cvss2_cna_ii			P	P	P
cvss2_cna_ai			P	P	P
cvss2_cna_basescore			5.1	5.1	5.1
cnnvd_id				CNNVD-202510-2557	CNNVD-202510-2557
cnnvd_name				ChurchCRM 代码问题漏洞	ChurchCRM 代码问题漏洞
cnnvd_hazardlevel				3	3
cnnvd_create				2025-10-20	2025-10-20
cnnvd_publish				2025-10-19	2025-10-19
cnnvd_update				2025-10-20	2025-10-20
cvss3_nvd_av					N
cvss3_nvd_ac					H
cvss3_nvd_pr					N
cvss3_nvd_ui					N
cvss3_nvd_s					U
cvss3_nvd_c					H
cvss3_nvd_i					H
cvss3_nvd_a					H
cvss3_nvd_basescore					8.1

◂ ପଛକୁ ସମୀକ୍ଷା ଆହୁରି ଦୂରରେ ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!