Security Advisory

CVE-2025-67751

CVE vulnerability detail — eXtreme Datacenter Security Operations

Published 2025-12-16 00:46:30

Last updated 2025-12-16 20:52:24

Assigner GitHub_M

State PUBLISHED

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, a SQL injection vulnerability exists in the `EventEditor.php` file. When creating a new event and selecting an event type, the `EN_tyid` POST parameter is not sanitized. This allows an authenticated user with event management permissions (`isAddEvent`) to execute arbitrary SQL queries. Version 6.5.0 fixes the issue.

← Browse all CVEs View on cve.org ↗