A path traversal flaw in ChurchCRM allows an authenticated administrator to achieve remote code execution by overwriting sensitive system configuration files.

The vulnerability resides in the src/ChurchCRM/Backup/RestoreJob.php file, where improper handling of the $rawUploadedFile['name'] parameter allows for path traversal. An authenticated administrator can upload arbitrary files, such as a malicious .htaccess file, to the server's directory structure to gain code execution.

While this vulnerability requires administrative authentication, the impact is critical (CVSS 9.1). A compromised administrator account can lead to full server takeover, unauthorized access to sensitive donor and member data, and significant operational disruption of the church management system.

Immediate Action: Upgrade ChurchCRM to version 6.5.3 or later to apply the necessary path validation fixes.

Proactive Monitoring: Audit logs for administrative file upload activity and monitor for unexpected changes to .htaccess files or other sensitive configuration files.

Compensating Controls: Ensure that the web server process runs with the least privileges necessary and that the /tmp_attach/ directory is restricted from executing scripts.

Public Exploit Available: No

Organizations utilizing ChurchCRM must verify their current version and apply the 6.5.3 update immediately. Additionally, ensure that administrative access is restricted to authorized personnel only to mitigate the risk of account compromise.