ChurchCRM Authentication Bypass Vulnerability in Public Login API Endpoint

An authentication bypass vulnerability has been identified in ChurchCRM versions prior to 7.2.0. The issue resides in the public login API endpoint, which only validates usernames and passwords before issuing an API key. This process bypasses essential authentication measures such as account lockout and two-factor authentication (2FA) checks. Consequently, an attacker aware of a user's password can gain API access, even if the account is locked or 2FA is enabled, thereby accessing all protected API endpoints with the user's privileges.

Impact

Exploitation of this vulnerability allows for the bypass of two-factor authentication and account lockout measures, granting unauthorized access to protected APIs. This could lead to unauthorized actions or data access, especially if the exploited account has elevated privileges.

Reproduction

To reproduce this vulnerability, log in to an affected ChurchCRM version prior to 7.2.0 using a valid username and password. After logging in, the API key will be issued without any 2FA or account lockout checks. This can be verified by accessing a protected API endpoint with the obtained API key.

Remediation

Users can upgrade to ChurchCRM version 7.2.0 or later, where this vulnerability has been fixed.