CVE-2021-43258
CVSS V2 None
CVSS V3 None
Description
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.
Overview
- CVE ID
- CVE-2021-43258
- Assigner
- cve@mitre.org
- Vulnerability Status
- Analyzed
- Published Version
- 2022-11-23T19:15:11
- Last Modified Date
- 2022-11-30T15:52:04
Weakness Enumerations
CPE Configuration (Product)
| CPE | Vulnerable | Operator | Version Start | Version End |
|---|---|---|---|---|
| cpe:2.3:a:churchdb:churchinfo:*:*:*:*:*:*:*:* | 1 | OR | 1.2.13 | 1.3.0 |
References
Sources
| Source Name | Source URL |
|---|---|
| NIST | https://nvd.nist.gov/vuln/detail/CVE-2021-43258 |
| MITRE | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43258 |
History
| Created | Old Value | New Value | Data Type | Notes |
|---|---|---|---|---|
| 2022-11-23 20:00:17 | Added to TrackCVE | |||
| 2022-12-07 18:02:13 | 2022-11-23T19:15Z | 2022-11-23T19:15:11 | CVE Published Date | updated |
| 2022-12-07 18:02:13 | 2022-11-30T15:52:04 | CVE Modified Date | updated | |
| 2022-12-07 18:02:13 | Analyzed | Vulnerability Status | updated | |
| 2022-12-07 18:02:13 | CWE-434 | Weakness Enumeration | new | |
| 2022-12-07 18:02:14 | CPE Information | updated |