CVE-2021-3164

Published: Jan 26, 2021Modified: Jun 17, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.

Affected (1)

Products: Churchdesk: Churchrota

Churchdesk

1 product

Churchrota

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Churchdesk Churchrota	Version 2.6.4

Related CWEs

CWE-434

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (4)

https://github.com/Little-Ben/ChurchRota

Source: cve@mitre.org

Third Party Advisory

https://github.com/rmccarth/cve-2021-3164

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/Little-Ben/ChurchRota

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://github.com/rmccarth/cve-2021-3164

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

Timeline

No history available yet.