CVE-2021-3164

HIGH

Churchdesk Churchrota - Unrestricted File Upload

Title source: rule

Description

ChurchRota 2.6.4 is vulnerable to authenticated remote code execution. The user does not need to have file upload permission in order to upload and execute an arbitrary file via a POST request to resources.php.

Exploits (1)

nomisec WORKING POC 2 stars

by rmccarth · poc

https://github.com/rmccarth/cve-2021-3164

View Code ZIP pw:eip

References (2)

Core 2

Core References

Third Party Advisory x_refsource_misc

https://github.com/Little-Ben/ChurchRota

View Writeup ZIP pw:eip

Exploit, Third Party Advisory x_refsource_misc

https://github.com/rmccarth/cve-2021-3164

Scores

CVSS v3 8.8

EPSS 0.2078

EPSS Percentile 95.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-434

Status published

Products (1)

churchdesk/churchrota 2.6.4

Published Jan 26, 2021

Tracked Since Feb 18, 2026