References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to [email protected].

Change History

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the family record deletion endpoint (SelectDelete.php) performs permanent, irreversible deletion of family records and all associated data via a plain GET request with no CSRF token validation. An attacker can craft a malicious page that, when visited by an authenticated administrator, silently triggers deletion of targeted family records including associated notes, pledges, persons, and property data without any user interaction. This issue has been fixed in version 7.2.0.

AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

CWE-352

CWE-862

https://github.com/ChurchCRM/CRM/commit/39361628613af7682b813f3e62a412559616d674

https://github.com/ChurchCRM/CRM/pull/8613

https://github.com/ChurchCRM/CRM/security/advisories/GHSA-6qxv-xw9j-77pj