CVE-2021-43258 is a critical vulnerability found in ChurchInfo version 1.3.0, specifically within the CartView.php component. ChurchInfo is an open-source church management software used to handle membership, events, and communications. The vulnerability arises from insecure file upload handling in the email attachment feature. Authenticated users can upload arbitrary files as email attachments, which are stored in the /tmp_attach/ directory on the server. There are no restrictions on the file types that can be uploaded, allowing attackers to upload malicious PHP scripts. Since these files are accessible via direct GET requests and are interpreted by the server, an attacker can execute remote code by accessing the uploaded malicious script. This leads to remote code execution (RCE) with the privileges of the web server user. The vulnerability requires the attacker to have valid authentication credentials, but no additional user interaction is needed beyond uploading the malicious file. The CVSS v3.1 score is 8.8 (high severity), reflecting the network attack vector, low attack complexity, and the significant impact on confidentiality, integrity, and availability. The weakness corresponds to CWE-434 (Unrestricted Upload of File with Dangerous Type). No public exploits are currently known in the wild, and no official patches have been linked yet. However, the vulnerability poses a serious risk due to the potential for full system compromise through remote code execution.

For European organizations using ChurchInfo 1.3.0, this vulnerability could lead to severe consequences. Successful exploitation allows attackers to execute arbitrary code on the server, potentially leading to full system compromise, data theft, defacement, or use of the server as a pivot point for further attacks within the network. Confidential information such as member data, event details, and internal communications could be exposed or manipulated. The integrity of organizational data could be compromised, and availability disrupted by destructive payloads or ransomware. Since the vulnerability requires authentication, insider threats or compromised credentials pose a significant risk. European churches and related non-profit organizations relying on ChurchInfo for member management and communication are particularly vulnerable. The impact extends beyond data loss to reputational damage and potential legal consequences under GDPR due to unauthorized data access or breaches.

1. Immediately restrict file upload types by implementing server-side validation to allow only safe file formats (e.g., PDFs, images) and explicitly block executable files such as PHP, ASP, or scripts. 2. Implement strict access controls on the /tmp_attach/ directory to prevent direct web access or disable execution of scripts in this directory via web server configuration (e.g., using .htaccess or equivalent to deny script execution). 3. Enforce strong authentication mechanisms and monitor user activities to detect anomalous behavior, especially related to file uploads. 4. Regularly audit and sanitize uploaded files to detect and remove potentially malicious content. 5. If possible, isolate the ChurchInfo application in a sandboxed environment or container with minimal privileges to limit the impact of a successful exploit. 6. Monitor logs for suspicious GET requests targeting the /tmp_attach/ folder. 7. Encourage users to update to newer versions of ChurchInfo if patches addressing this vulnerability become available. 8. Consider implementing multi-factor authentication to reduce the risk of credential compromise. 9. Conduct security awareness training for administrators and users about the risks of file uploads and credential security.