Rmccarth

**Name of the Vulnerable Software and Affected Versions** ChurchRota version 2.6.4 **Description** The issue allows for authenticated remote code execution. It is possible to upload and execute an arbitrary file without needing file upload permission, by sending a POST request to the "resources.php" API endpoint. **Recommendations** For ChurchRota version 2.6.4, consider restricting access to the "resources.php" endpoint until a fix is available. As a temporary workaround, limit the ability to upload files to only necessary users to minimize the risk of exploitation.