GET

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

GET /api/vulnerabilities/93047?format=api
HTTP 200 OK
Allow: GET, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "url": "http://public2.vulnerablecode.io/api/vulnerabilities/93047?format=api",
    "vulnerability_id": "VCID-b24w-f3ca-ayfp",
    "summary": "ChurchCRM is an open-source church management system. In versions prior to 6.5.3, the Database Restore functionality does not validate the content or file extension of uploaded files. As a result, an attacker can upload a web shell file and subsequently upload a .htaccess file to enable direct access to it. Once accessed, the uploaded web shell allows remote code execution (RCE) on the server. Version 6.5.3 fixes the issue.",
    "aliases": [
        {
            "alias": "CVE-2025-68109"
        }
    ],
    "fixed_packages": [],
    "affected_packages": [],
    "references": [
        {
            "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68109",
            "reference_id": "",
            "reference_type": "",
            "scores": [
                {
                    "value": "0.23631",
                    "scoring_system": "epss",
                    "scoring_elements": "0.9611",
                    "published_at": "2026-06-11T12:55:00Z"
                },
                {
                    "value": "0.23631",
                    "scoring_system": "epss",
                    "scoring_elements": "0.96121",
                    "published_at": "2026-06-12T12:55:00Z"
                }
            ],
            "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-68109"
        },
        {
            "reference_url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77",
            "reference_id": "GHSA-pqm7-g8px-9r77",
            "reference_type": "",
            "scores": [
                {
                    "value": "9.1",
                    "scoring_system": "cvssv3.1",
                    "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
                },
                {
                    "value": "Track",
                    "scoring_system": "ssvc",
                    "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2025-12-18T14:55:15Z/"
                }
            ],
            "url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-pqm7-g8px-9r77"
        }
    ],
    "weaknesses": [
        {
            "cwe_id": 78,
            "name": "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')",
            "description": "The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component."
        },
        {
            "cwe_id": 434,
            "name": "Unrestricted Upload of File with Dangerous Type",
            "description": "The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment."
        },
        {
            "cwe_id": 494,
            "name": "Download of Code Without Integrity Check",
            "description": "The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code."
        },
        {
            "cwe_id": 552,
            "name": "Files or Directories Accessible to External Parties",
            "description": "The product makes files or directories accessible to unauthorized actors, even though they should not be."
        },
        {
            "cwe_id": 915,
            "name": "Improperly Controlled Modification of Dynamically-Determined Object Attributes",
            "description": "The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, but it does not properly control which attributes can be modified."
        }
    ],
    "exploits": [
        {
            "date_added": null,
            "description": "This module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM\n          versions prior to 6.2.0. The vulnerability resides in the Database Restore\n          functionality, which allows an authenticated user with administrative privileges\n          to upload a malicious backup file. By bypassing upload restrictions via a\n          crafted .htaccess file, the module enables PHP code execution in the target\n          directory, ultimately providing the attacker with a Meterpreter shell.",
            "required_action": null,
            "due_date": null,
            "notes": "Stability:\n  - crash-safe\nReliability:\n  - repeatable-session\nSideEffects:\n  - ioc-in-logs\n  - config-changes\n",
            "known_ransomware_campaign_use": false,
            "source_date_published": "2025-12-17",
            "exploit_type": null,
            "platform": "Linux,PHP",
            "source_date_updated": null,
            "data_source": "Metasploit",
            "source_url": "https://github.com/rapid7/metasploit-framework/tree/master/modules/exploits/multi/http/churchcrm_db_restore_rce.rb"
        }
    ],
    "severity_range_score": "9.1 - 9.1",
    "exploitability": null,
    "weighted_severity": null,
    "risk_score": null,
    "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-b24w-f3ca-ayfp"
}