This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: ChurchCRM < 7.2.0 has a critical flaw in its **Database Backup/Restore** feature. π **Consequences**: Attackers can achieve **Remote Code Execution (RCE)** and **Cross-Site Request Forgery (CSRF)**.β¦
π’ **Affected Vendor**: ChurchCRM. π¦ **Product**: CRM System. π **Versions**: All versions **prior to 7.2.0**. If you are running 7.1.x or older, you are vulnerable! β οΈ
Q4What can hackers do? (Privileges/Data)
π **Attacker Capabilities**: 1οΈβ£ **RCE**: Execute arbitrary code on the server. 2οΈβ£ **CSRF**: Trick admins into performing actions.β¦
π **Exploitation Threshold**: **Medium-High**. The CVSS vector indicates **PR:H** (Privileges Required: High). You likely need valid admin credentials to access the backup/restore function.β¦
π **Self-Check**: 1οΈβ£ Check your ChurchCRM version (is it < 7.2.0?). 2οΈβ£ Review access logs for unusual database backup/restore requests. 3οΈβ£ Scan for the specific backup endpoints if you have admin access.β¦
β **Official Fix**: **Yes**. Patched in **Version 7.2.0**. π **References**: See GitHub Commit `68be1d1` and PR `#8610`. The vendor has acknowledged the issue (GHSA-2932-77f9-62fx) and released a fix. Update immediately!β¦
π§ **No Patch Workaround**: 1οΈβ£ **Restrict Access**: Block access to the backup/restore module via firewall/WAF if possible. 2οΈβ£ **Disable Feature**: If the UI allows, disable the database backup function entirely.β¦
π₯ **Urgency**: **HIGH**. CVSS Score is **9.8** (Critical). Even though privileges are required, the impact (RCE) is devastating. π **Action**: Upgrade to v7.2.0+ **NOW**. Do not delay! Time is of the essence. β³