CVE-2025-1023
published 2025-02-18CVE-2025-1023: A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection…
PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.18%
80.1th percentile
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| churchcrm | churchcrm | <= 5.13.0 | — |
| churchcrm | churchcrm | — | — |
| msrc | windows_10 | — | — |
| msrc | windows_10_version_1607 | — | — |
| msrc | windows_10_version_1809 | — | — |
| msrc | windows_10_version_21h2 | — | — |
| msrc | windows_10_version_22h2 | — | — |
| msrc | windows_11_version_22h2 | — | — |
| msrc | windows_11_version_23h2 | — | — |
| msrc | windows_11_version_24h2 | — | — |
| msrc | windows_11_version_25h2 | — | — |
| msrc | windows_server_2016 | — | — |
| msrc | windows_server_2019 | — | — |
| msrc | windows_server_2022 | — | — |
| msrc | windows_server_2022_23h2_edition | — | — |
| msrc | windows_server_2025 | — | — |
| vllm | vllm | >= 0.7.0 < 0.9.0 | 0.9.0 |
Detection & IOCsextracted from sources · hover to see the quote
commandEN_tyid=1&newEvtName=Test&newEvtStartTime=10:30:00&newCountName=1%27%20AND%20(SELECT%20SLEEP(8))%20AND%20%271%27%3D%271&Action=ADD↗
- →Detect time-based blind SQLi exploitation: POST requests to /EditEventTypes.php with a `newCountName` parameter containing SQL sleep payloads (e.g., SLEEP(8)) should be flagged. A server response time >= 8 seconds combined with HTTP 500 status is a strong indicator of successful exploitation. ↗
- →Monitor POST requests to /EditEventTypes.php for the `newCountName` parameter containing SQL metacharacters or injection patterns (e.g., single quotes, AND, SELECT, SLEEP). ↗
- →Shodan/FOFA exposure query: use `http.title:"churchcrm"` (Shodan) or `app="churchcrm"` (FOFA) to identify internet-exposed ChurchCRM instances that may be targeted. ↗
- →The attack requires authentication; monitor for login attempts to /session/begin immediately followed by POST requests to /EditEventTypes.php with suspicious `newCountName` values as a two-step attack chain. ↗
- ·The CVSS score in the Nuclei template is rated 9.8 (Critical, no auth required), but the template itself and tags indicate the attack IS authenticated (`authenticated` tag, login step in the HTTP chain). Detections should account for a prior valid session. ↗
- ·The Nuclei template uses a 30-second timeout and an 8-second SLEEP payload; detection rules based on response time must account for network latency to avoid false positives. ↗
- ·Affected versions are ChurchCRM 5.13.0 and prior; version fingerprinting should be used to prioritize alerts on unpatched instances. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:H/U:Red
vulncheck9.3CRITICAL
vendor_redhat7.8HIGH
vendor_msrc6.1MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
ghsa·2025-05-28
CVE-2025-46722 [MEDIUM] CWE-1023 vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
## Summary
In the file `vllm/multimodal/hasher.py`, the `MultiModalHasher` class has a security and data integrity issue in its image hashing method. Currently, it serializes `PIL.Image.Image` objects using only `obj.tobytes()`, which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks.
## Details
- **Affected file:** `vllm/multimodal/hasher.py`
- **Affected method:** `MultiModalHasher.serialize_item`
https://github.com/vllm-projec
GHSA
GHSA-4h72-f3hc-p28v: A vulnerability exists in ChurchCRM 5
ghsa_unreviewed·2025-02-18
CVE-2025-1023 [CRITICAL] CWE-89 GHSA-4h72-f3hc-p28v: A vulnerability exists in ChurchCRM 5
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
VulnCheck
churchcrm churchcrm Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2025·CVSS 9.3
CVE-2025-1023 [CRITICAL] churchcrm churchcrm Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
churchcrm churchcrm Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
Affected: churchcrm churchcrm
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://app.crowdsec
Microsoft
Windows BitLocker Security Feature Bypass Vulnerability
vendor_msrc·2025-10-14·CVSS 6.1
CVE-2025-55333 [MEDIUM] CWE-1023 Windows BitLocker Security Feature Bypass Vulnerability
Windows BitLocker Security Feature Bypass Vulnerability
Description: Incomplete comparison with missing factors in Windows BitLocker allows an unauthorized attacker to bypass a security feature with a physical attack.
FAQ: What kind of security feature could be bypassed by successfully exploiting this vulnerability?
A successful attacker could bypass the BitLocker Device Encryption feature on the system storage device. An attacker with physical access to the target could exploit this vulnerability to gain access to encrypted data.
Windows BitLocker: Windows BitLocker
Microsoft: Microsoft
Customer Action Required: Yes
Impact: Security Feature Bypass
Exploit Status: Publicly Disclosed:No;Exploited:No;Latest Software Release:Exploitation Less Likely
Reference: https://catalog.update.m
Red Hat
vllm: vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
vendor_redhat·2025-05-29·CVSS 4.2
CVE-2025-46722 [MEDIUM] CWE-1023 vllm: vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
vllm: vLLM has a Weakness in MultiModalHasher Image Hashing Implementation
vLLM is an inference and serving engine for large language models (LLMs). In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image objects using only obj.tobytes(), which returns only the raw pixel data, without including metadata such as the image’s shape (width, height, mode). As a result, two images of different sizes (e.g., 30x100 and 100x30) with the same pixel byte sequence could generate the same hash value. This may lead to hash collisions, incorrect cache hits, and even data leakage or security risks. This issue has been patched in version 0
No detection rules found.
Nuclei
ChurchCRM - SQL Injection
nuclei·CVSS 9.3
CVE-2025-1023 [CRITICAL] ChurchCRM - SQL Injection
ChurchCRM - SQL Injection
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
Template:
id: CVE-2025-1023
info:
name: ChurchCRM - SQL Injection
author: Kazgangap
severity: critical
description: |
A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes
No writeups or analysis indexed.
2025-02-18
Published
Exploited in the wild