CVE-2024-37418 is a security vulnerability identified in the Church Admin software developed by andy_moyle, affecting all versions up to and including 4.4.6. The vulnerability is classified as an 'Unrestricted Upload of File with Dangerous Type,' meaning the application does not properly restrict or validate the types of files users can upload. This flaw allows an attacker to upload files that could contain malicious code, such as executable scripts or web shells, which can then be executed on the server hosting the application. The lack of restrictions on file types increases the risk of remote code execution (RCE), enabling attackers to gain unauthorized access, manipulate data, or compromise the underlying server infrastructure. Although no known exploits have been reported in the wild at the time of publication, the vulnerability's nature makes it a significant risk if left unmitigated. The affected software, Church Admin, is used primarily by religious organizations to manage church operations, including member data, event scheduling, and financial records. The vulnerability arises from insufficient input validation and inadequate server-side controls on file uploads, which are common vectors for exploitation in web applications. The absence of a CVSS score indicates that the vulnerability is newly disclosed and has not yet been fully assessed, but its characteristics suggest a high-risk profile. The vulnerability was published on July 9, 2024, and was reserved in early June 2024 by Patchstack, indicating coordinated disclosure efforts. No patches or fixes are currently linked, emphasizing the need for immediate attention by users of the affected software.

The unrestricted upload of dangerous file types can have severe consequences for organizations using Church Admin. Attackers could upload malicious scripts or web shells, leading to remote code execution, full server compromise, data theft, or destruction. Confidentiality of sensitive personal and financial data managed by churches could be breached, damaging trust and potentially violating data protection regulations. Integrity of data could be compromised by unauthorized modifications, and availability could be disrupted by attackers deleting or corrupting files or launching denial-of-service attacks. Since the vulnerability does not require authentication or user interaction, exploitation is relatively easy, increasing the risk of automated or opportunistic attacks. Organizations worldwide using Church Admin, particularly those with limited cybersecurity resources, are at risk of significant operational disruption and reputational damage. The absence of known exploits currently provides a window for proactive mitigation before widespread attacks occur.

Organizations should immediately implement strict server-side validation of all file uploads to restrict allowed file types to only those necessary for Church Admin's functionality (e.g., images or documents). Employing a whitelist approach rather than blacklisting file extensions is recommended. Additionally, files should be scanned for malware before acceptance and stored outside the web root to prevent direct execution. Implementing Content Security Policy (CSP) headers and disabling script execution in upload directories can further reduce risk. Monitoring logs for unusual upload activity and failed validation attempts can help detect exploitation attempts early. Until an official patch is released, consider temporarily disabling file upload features if feasible. Engage with the vendor or community to obtain updates or patches promptly. Regularly update and harden the underlying server environment, including web server and operating system security configurations. Conduct security awareness training for administrators to recognize suspicious activity related to file uploads.