CVE-2025-67874 — MEDIUM (6.5)

Q: How severe is CVE-2025-67874?

CVE-2025-67874 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-67874?

Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.

Vulnerability Description

ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosure significantly increases the risk of credential compromise and may amplify the impact of other vulnerabilities (e.g., XSS, IDOR, session fixation), enabling attackers to harvest other users’ passwords. Version 6.5.0 fixes the issue.

CVSS Score

6.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Churchcrm	Churchcrm	< 6.5.0

Related Weaknesses (CWE)

CWE-204

References

https://github.com/ChurchCRM/CRM/commit/2d6cf7aed9af1b9b47e125d1a2266f8e2a88f3fdPatch
https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p98h-5xcj-5c6xExploitVendor Advisory

FAQ

What is CVE-2025-67874?

CVE-2025-67874 is a vulnerability with a CVSS score of 6.5 (MEDIUM). ChurchCRM is an open-source church management system. Prior to version 6.5.0, the application echoes back plaintext passwords submitted by users in subsequent HTTP responses. This information disclosu...

How severe is CVE-2025-67874?

CVE-2025-67874 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-67874?

Check the references section above for vendor advisories and patch information. Affected products include: Churchcrm Churchcrm.