nvd-json-data-feeds/CVE-2025/CVE-2025-11xx/CVE-2025-1133.json

{
  "id": "CVE-2025-1133",
  "sourceIdentifier": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
  "published": "2025-02-19T09:15:10.550",
  "lastModified": "2025-02-25T21:26:57.793",
  "vulnStatus": "Analyzed",
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability exists in ChurchCRM 5.13.0 and prior\u00a0that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection\u00a0vulnerability in the EditEventAttendees\u00a0functionality. The EID\u00a0parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion.\u00a0 Please note that this vulnerability requires Administrator privileges."
    },
    {
      "lang": "es",
      "value": "Existe una vulnerabilidad en ChurchCRM 5.13.0 y versiones anteriores que permite a un atacante ejecutar consultas SQL arbitrarias aprovechando una vulnerabilidad de inyecci\u00f3n SQL ciega basada en booleanos en la funcionalidad EditEventAttendees. El par\u00e1metro EID se concatena directamente en una consulta SQL sin la limpieza adecuada, lo que lo hace susceptible a ataques de inyecci\u00f3n SQL. Un atacante puede manipular la consulta, lo que puede provocar la exfiltraci\u00f3n, modificaci\u00f3n o eliminaci\u00f3n de datos. Tenga en cuenta que esta vulnerabilidad requiere privilegios de administrador."
    }
  ],
  "metrics": {
    "cvssMetricV40": [
      {
        "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
        "type": "Secondary",
        "cvssData": {
          "version": "4.0",
          "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red",
          "baseScore": 9.3,
          "baseSeverity": "CRITICAL",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "vulnConfidentialityImpact": "HIGH",
          "vulnIntegrityImpact": "HIGH",
          "vulnAvailabilityImpact": "HIGH",
          "subConfidentialityImpact": "HIGH",
          "subIntegrityImpact": "LOW",
          "subAvailabilityImpact": "HIGH",
          "exploitMaturity": "NOT_DEFINED",
          "confidentialityRequirement": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "availabilityRequirement": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "Automatable": "YES",
          "Recovery": "USER",
          "valueDensity": "CONCENTRATED",
          "vulnerabilityResponseEffort": "HIGH",
          "providerUrgency": "RED"
        }
      }
    ],
    "cvssMetricV31": [
      {
        "source": "nvd@nist.gov",
        "type": "Primary",
        "cvssData": {
          "version": "3.1",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
          "baseScore": 7.2,
          "baseSeverity": "HIGH",
          "attackVector": "NETWORK",
          "attackComplexity": "LOW",
          "privilegesRequired": "HIGH",
          "userInteraction": "NONE",
          "scope": "UNCHANGED",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "availabilityImpact": "HIGH"
        },
        "exploitabilityScore": 1.2,
        "impactScore": 5.9
      }
    ]
  },
  "weaknesses": [
    {
      "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
      "type": "Secondary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ]
    },
    {
      "source": "nvd@nist.gov",
      "type": "Primary",
      "description": [
        {
          "lang": "en",
          "value": "CWE-89"
        }
      ]
    }
  ],
  "configurations": [
    {
      "nodes": [
        {
          "operator": "OR",
          "negate": false,
          "cpeMatch": [
            {
              "vulnerable": true,
              "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*",
              "versionEndIncluding": "5.13.0",
              "matchCriteriaId": "552A51B0-B2AE-4A12-BF43-DDCE1D8A29D2"
            }
          ]
        }
      ]
    }
  ],
  "references": [
    {
      "url": "https://github.com/ChurchCRM/CRM/issues/7252",
      "source": "b7efe717-a805-47cf-8e9a-921fca0ce0ce",
      "tags": [
        "Exploit",
        "Third Party Advisory"
      ]
    }
  ]
}