{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-11529", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "state": "PUBLISHED", "assignerShortName": "VulDB", "dateReserved": "2025-10-08T19:05:38.194Z", "datePublished": "2025-10-09T03:02:11.993Z", "dateUpdated": "2025-10-09T14:33:23.789Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-09T03:02:11.993Z"}, "title": "ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication", "problemTypes": [{"descriptions": [{"type": "CWE", "cweId": "CWE-306", "lang": "en", "description": "Missing Authentication"}]}, {"descriptions": [{"type": "CWE", "cweId": "CWE-287", "lang": "en", "description": "Improper Authentication"}]}], "affected": [{"vendor": "n/a", "product": "ChurchCRM", "versions": [{"version": "5.0", "status": "affected"}, {"version": "5.1", "status": "affected"}, {"version": "5.2", "status": "affected"}, {"version": "5.3", "status": "affected"}, {"version": "5.4", "status": "affected"}, {"version": "5.5", "status": "affected"}, {"version": "5.6", "status": "affected"}, {"version": "5.7", "status": "affected"}, {"version": "5.8", "status": "affected"}, {"version": "5.9", "status": "affected"}, {"version": "5.10", "status": "affected"}, {"version": "5.11", "status": "affected"}, {"version": "5.12", "status": "affected"}, {"version": "5.13", "status": "affected"}, {"version": "5.14", "status": "affected"}, {"version": "5.15", "status": "affected"}, {"version": "5.16", "status": "affected"}, {"version": "5.17", "status": "affected"}, {"version": "5.18.0", "status": "affected"}], "modules": ["API Endpoint"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue."}, {"lang": "de", "value": "In ChurchCRM up to 5.18.0 ist eine Schwachstelle entdeckt worden. Dabei geht es um die Funktion AuthMiddleware der Datei src/ChurchCRM/Slim/Middleware/AuthMiddleware.php der Komponente API Endpoint. Die Manipulation f\u00fchrt zu missing authentication. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Der Patch tr\u00e4gt den Namen 3a1cffd2aea63d884025949cfbcfd274d06216a4. Es wird geraten, einen Patch zu installieren, um dieses Problem zu l\u00f6sen."}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P", "baseSeverity": "MEDIUM"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C", "baseSeverity": "HIGH"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "timeline": [{"time": "2025-10-08T00:00:00.000Z", "lang": "en", "value": "Advisory disclosed"}, {"time": "2025-10-08T02:00:00.000Z", "lang": "en", "value": "VulDB entry created"}, {"time": "2025-10-08T21:21:17.000Z", "lang": "en", "value": "VulDB entry last update"}], "credits": [{"lang": "en", "value": "uartu0 (VulDB User)", "type": "reporter"}], "references": [{"url": "https://vuldb.com/?id.327667", "name": "VDB-327667 | ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.327667", "name": "VDB-327667 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.669916", "name": "Submit #669916 | ChurchCRM ChurchCRM (GitHub: ChurchCRM/CRM) <= 5.18.0 Authentication Bypass / Access Control", "tags": ["third-party-advisory"]}, {"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md", "tags": ["exploit"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/7376", "tags": ["issue-tracking"]}, {"url": "https://github.com/ChurchCRM/CRM/commit/3a1cffd2aea63d884025949cfbcfd274d06216a4", "tags": ["patch"]}], "tags": ["x_open-source"]}, "adp": [{"references": [{"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-09T14:27:36.837070Z", "id": "CVE-2025-11529", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T14:33:23.789Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11529", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-09T14:27:36.837070Z"}}}], "references": [{"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-09T14:27:49.794Z"}}], "cna": {"tags": ["x_open-source"], "title": "ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication", "credits": [{"lang": "en", "type": "reporter", "value": "uartu0 (VulDB User)"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 6.9, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"}}, {"cvssV3_1": {"version": "3.1", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV3_0": {"version": "3.0", "baseScore": 7.3, "baseSeverity": "HIGH", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C"}}, {"cvssV2_0": {"version": "2.0", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C"}}], "affected": [{"vendor": "n/a", "modules": ["API Endpoint"], "product": "ChurchCRM", "versions": [{"status": "affected", "version": "5.0"}, {"status": "affected", "version": "5.1"}, {"status": "affected", "version": "5.2"}, {"status": "affected", "version": "5.3"}, {"status": "affected", "version": "5.4"}, {"status": "affected", "version": "5.5"}, {"status": "affected", "version": "5.6"}, {"status": "affected", "version": "5.7"}, {"status": "affected", "version": "5.8"}, {"status": "affected", "version": "5.9"}, {"status": "affected", "version": "5.10"}, {"status": "affected", "version": "5.11"}, {"status": "affected", "version": "5.12"}, {"status": "affected", "version": "5.13"}, {"status": "affected", "version": "5.14"}, {"status": "affected", "version": "5.15"}, {"status": "affected", "version": "5.16"}, {"status": "affected", "version": "5.17"}, {"status": "affected", "version": "5.18.0"}]}], "timeline": [{"lang": "en", "time": "2025-10-08T00:00:00.000Z", "value": "Advisory disclosed"}, {"lang": "en", "time": "2025-10-08T02:00:00.000Z", "value": "VulDB entry created"}, {"lang": "en", "time": "2025-10-08T21:21:17.000Z", "value": "VulDB entry last update"}], "references": [{"url": "https://vuldb.com/?id.327667", "name": "VDB-327667 | ChurchCRM API Endpoint AuthMiddleware.php AuthMiddleware missing authentication", "tags": ["vdb-entry", "technical-description"]}, {"url": "https://vuldb.com/?ctiid.327667", "name": "VDB-327667 | CTI Indicators (IOB, IOC, IOA)", "tags": ["signature", "permissions-required"]}, {"url": "https://vuldb.com/?submit.669916", "name": "Submit #669916 | ChurchCRM ChurchCRM (GitHub: ChurchCRM/CRM) <= 5.18.0 Authentication Bypass / Access Control", "tags": ["third-party-advisory"]}, {"url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md", "tags": ["exploit"]}, {"url": "https://github.com/ChurchCRM/CRM/pull/7376", "tags": ["issue-tracking"]}, {"url": "https://github.com/ChurchCRM/CRM/commit/3a1cffd2aea63d884025949cfbcfd274d06216a4", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue."}, {"lang": "de", "value": "In ChurchCRM up to 5.18.0 ist eine Schwachstelle entdeckt worden. Dabei geht es um die Funktion AuthMiddleware der Datei src/ChurchCRM/Slim/Middleware/AuthMiddleware.php der Komponente API Endpoint. Die Manipulation f\u00fchrt zu missing authentication. Der Angriff l\u00e4sst sich \u00fcber das Netzwerk starten. Die Schwachstelle wurde \u00f6ffentlich offengelegt und k\u00f6nnte ausgenutzt werden. Der Patch tr\u00e4gt den Namen 3a1cffd2aea63d884025949cfbcfd274d06216a4. Es wird geraten, einen Patch zu installieren, um dieses Problem zu l\u00f6sen."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "Missing Authentication"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-287", "description": "Improper Authentication"}]}], "providerMetadata": {"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "shortName": "VulDB", "dateUpdated": "2025-10-09T03:02:11.993Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11529", "state": "PUBLISHED", "dateUpdated": "2025-10-09T14:33:23.789Z", "dateReserved": "2025-10-08T19:05:38.194Z", "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5", "datePublished": "2025-10-09T03:02:11.993Z", "assignerShortName": "VulDB"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "matchCriteriaId": "E88638D7-92B8-4BBC-97B9-827F4D6E6589", "versionEndExcluding": "5.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in ChurchCRM up to 5.18.0. This impacts the function AuthMiddleware of the file src/ChurchCRM/Slim/Middleware/AuthMiddleware.php of the component API Endpoint. The manipulation results in missing authentication. The attack can be executed remotely. The exploit has been released to the public and may be exploited. The patch is identified as 3a1cffd2aea63d884025949cfbcfd274d06216a4. A patch should be applied to remediate this issue."}], "id": "CVE-2025-11529", "lastModified": "2025-10-27T18:04:47.800", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Secondary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.3, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.4, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "PROOF_OF_CONCEPT", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-10-09T03:15:31.830", "references": [{"source": "[email protected]", "tags": ["Patch"], "url": "https://github.com/ChurchCRM/CRM/commit/3a1cffd2aea63d884025949cfbcfd274d06216a4"}, {"source": "[email protected]", "tags": ["Issue Tracking"], "url": "https://github.com/ChurchCRM/CRM/pull/7376"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md"}, {"source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"], "url": "https://vuldb.com/?ctiid.327667"}, {"source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?id.327667"}, {"source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"], "url": "https://vuldb.com/?submit.669916"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/uartu0/advisories/blob/main/churchcrm-api-auth-bypass-2025.md"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}], "source": "[email protected]", "type": "Secondary"}]}

{}