cbcvebase.
CVE-2021-43258
published 2022-11-23

CVE-2021-43258: CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he…

PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
10.52%
95.2th percentile
CartView.php in ChurchInfo 1.3.0 allows attackers to achieve remote code execution through insecure uploads. This requires authenticated access tot he ChurchInfo application. Once authenticated, a user can add names to their cart, and compose an email. Uploading an attachment for the email stores the attachment on the site in the /tmp_attach/ folder where it can be accessed with a GET request. There are no limitations on files that can be attached, allowing for malicious PHP code to be uploaded and interpreted by the server.

Affected

1 ranges
VendorProductVersion rangeFixed in
churchdbchurchinfo1.2.13 – 1.3.0

Detection & IOCsextracted from sources · hover to see the quote

path/tmp_attach/
filenameCartView.php
urlhttps://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/churchinfo_upload_exec.rb
  • Monitor for HTTP GET requests to the /tmp_attach/ directory on ChurchInfo web servers, which may indicate retrieval of a previously uploaded malicious file.
  • Alert on PHP file uploads via CartView.php, particularly multipart POST requests to the cart/email draft functionality that include .php file attachments.
  • Detect web server process execution (e.g. www-data) spawning child processes following a GET request to /tmp_attach/, which is indicative of server-side PHP execution of an uploaded payload.
  • ·The vulnerability affects ChurchInfo versions 1.2.13 through 1.3.0; scope detection rules accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.