A critical vulnerability has been identified in the ChurchCRM open-source church management system. This flaw can cause the application to display sensitive database credentials, including the username and password, in an error message, potentially allowing an attacker to gain direct access to the database and compromise all stored information.

The vulnerability is an Improper Error Handling leading to Information Disclosure. When the application encounters a specific type of database connection error, it fails to sanitize the output and instead displays a detailed error message directly to the user. An attacker can intentionally trigger such an error to cause the system to reveal the database host, IP address, username, and password in plain text. This provides the attacker with the direct credentials needed to access and compromise the underlying database.

This vulnerability is rated as critical severity with a CVSS score of 9.9. Successful exploitation would grant an attacker direct, unauthorized access to the organization's central database. The consequences include a complete loss of data confidentiality, integrity, and availability. An attacker could steal, modify, or delete sensitive Personally Identifiable Information (PII) of church members, financial records, and other confidential data, leading to significant reputational damage, potential identity theft, financial fraud, and regulatory penalties.

Immediate Action: Organizations must immediately upgrade all instances of ChurchCRM to version 6.5.3 or later, which contains the fix for this vulnerability. After patching, it is crucial to review web server and application logs for any signs of past exploitation attempts, such as the specific error messages that would have disclosed the credentials.

Proactive Monitoring: Monitor web server logs for HTTP error codes (e.g., 5xx) and inspect the corresponding application logs for database connection error messages. Implement network monitoring to detect unusual connection attempts to the database server from untrusted IP addresses. Set up alerts for any successful database connections originating from outside the expected application server network.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Configure the web server to use custom, generic error pages that do not display detailed application or database error information.
• Deploy a Web Application Firewall (WAF) with rules to block common attack patterns that could trigger database errors.
• Strictly enforce network segmentation by configuring firewall rules to ensure the database server only accepts connections from the application server's IP address.

Public Exploit Available: false

Given the critical CVSS score of 9.9 and the direct exposure of database credentials, this vulnerability poses an extreme risk to the organization. We strongly recommend that all affected ChurchCRM instances be patched to version 6.5.3 or newer with the highest priority. Although this CVE is not currently listed on the CISA KEV catalog, its severity warrants immediate action to prevent a potentially catastrophic data breach.