Lucene search

China National Vulnerability DatabaseCNVD-2022-86334

HistoryNov 23, 2022 - 12:00 a.m.

ChurchInfo Arbitrary File Upload Vulnerability

2022-11-2300:00:00

China National Vulnerability Database

www.cnvd.org.cn

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

JSON

ChurchInfo is a free church database program from the ChurchInfo team that helps churches track members, families, groups, pledges, and payments. ChurchInfo 1.2.13 and later, and 1.3.0 and prior versions, is vulnerable to arbitrary file uploads. The vulnerability stems from the application’s lack of checks on uploaded files, which can be exploited by attackers to upload malicious PHP files and execute arbitrary code.

CPENameOperatorVersion
churchinfo churchinfo >=1.2.13，le1.3.0

CPE	Name	Operator	Version
	churchinfo churchinfo >=1.2.13，	le	1.3.0

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

JSON

Related for CNVD-2022-86334