ChurchCRM Missing Object-Level Authorization Vulnerability in Person API Endpoint

A vulnerability exists in ChurchCRM, an open-source church management system, in versions prior to 7.2.0. The issue is located in the GET /api/person/{personId} endpoint, which retrieves person records without proper authorization checks. This oversight allows authenticated users with only EditSelf privileges to access and read records of other members, exposing sensitive personal information such as names, addresses, phone numbers, and email addresses. The vulnerability arises because the API layer fails to enforce object-level authorization, a check that is present in the legacy PersonView.php page.

Impact

The vulnerability allows any authenticated user with EditSelf privileges to read the records of other individuals, not just their own or their family members. This access includes sensitive personal information, potentially leading to privacy violations.

Reproduction

To reproduce the vulnerability, log in as a user with EditSelf privileges using the ChurchCRM API. After logging in, use the API key to make a GET request to the /api/person/{personId} endpoint. The request will return the person record without performing the necessary authorization check, allowing access to records of individuals who are not family members.

Remediation

Users can update to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed.