CVE-2021-43258

Name of the Vulnerable Software and Affected Versions ChurchInfo version 1.3.0

Description The issue allows attackers to achieve remote code execution through insecure uploads in the ChurchInfo application. This requires authenticated access to the application. Once authenticated, a user can upload attachments for emails without any limitations on file types, allowing for malicious PHP code to be uploaded and interpreted by the server.

Recommendations For ChurchInfo version 1.3.0, consider restricting access to the /tmp attach/ folder to prevent direct access to uploaded files, and implement file type validation to prevent uploading of malicious PHP code. As a temporary workaround, consider disabling the file upload feature for email attachments until a patch is available.