Primary

Context

ChurchCRM Database Information Disclosure Vulnerability

Vulnerability

Patched

A vulnerability in ChurchCRM versions prior to 6.5.3 allows for the unintentional disclosure of database connection details in error messages. This information leak includes the database host, IP address, username, and password. The issue arises when the application encounters a database error and fails to properly handle the exception, leading to sensitive information being exposed.

Impact

Exploitation of this vulnerability allows unauthorized access to the SQL server using the disclosed credentials. This access could lead to further compromise of the SQL server, which is considered a separate security authority from the web application. As a result, the vulnerability's impact extends beyond the application's security boundary, affecting an external system.

Remediation

Users can upgrade to ChurchCRM version 6.5.3 or later to address this vulnerability.

Added: Dec 17, 2025, 10:24 PM

Updated: Dec 17, 2025, 10:24 PM

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

3.3

exploitability

6.6

remediation

7.7

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.9

impact

3.3

exploitability

6.6

remediation

7.7

relevance

1.4

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

ChurchCRM Database Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

ChurchCRM

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating