CVE-2021-41661

Name of the Vulnerable Software and Affected Versions Church Management System version 1.0

Description The issue allows for SQL injection through creating a user with a PHP file as an avatar image, accessible via the "/uploads" directory. This can lead to Remote Code Execution (RCE) on the web server by uploading a PHP webshell.

Recommendations For Church Management System version 1.0, consider disabling the ability to upload PHP files as avatar images until a patch is available. Restrict access to the "/uploads" directory to minimize the risk of exploitation. Avoid using the vulnerable user creation feature with file uploads until the issue is resolved.