ChurchCRM’s Kiosk Manager Functions are vulnerable to Broken Access Control

8.3 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue.

Basic Information

ID CVE-2025-66397

Source GitHub_M

Published Dec 17, 2025 at 19:12

Modified Dec 17, 2025 at 19:28

Affected Product

Vendor ChurchCRM

Product CRM

Version < 6.5.3

Affected Versions ChurchCRM CRM < 6.5.3

CWE Classification

CWE-284

References

github.com /ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5

{
    "lastseen": "",
    "description": "ChurchCRM is an open-source church management system. Prior to version 6.5.3, the allowRegistration, acceptKiosk, reloadKiosk, and identifyKiosk functions in the Kiosk Manager feature suffers from broken access control, allowing any authenticated user to allow and accept kiosk registrations, and perform other Kiosk Manager actions such as reload and identify. Version 6.5.3 fixes the issue.",
    "published": "2025-12-17T19:12:41.501Z",
    "modified": "2025-12-17T19:28:15.386Z",
    "type": "cve",
    "title": "ChurchCRM's Kiosk Manager Functions are vulnerable to Broken Access Control",
    "source": "GitHub_M",
    "references": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-32vr-ch3p-wmr5",
    "id": "CVE-2025-66397",
    "bulletinFamily": "",
    "cwe": [
        "CWE-284"
    ],
    "cvelist": null,
    "sourceData": "ChurchCRM CRM < 6.5.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "CRM",
    "version": "< 6.5.3",
    "vendor": "ChurchCRM",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

ChurchCRM’s Kiosk Manager Functions are vulnerable to Broken Access Control_CVE-2025-66397