ChurchCRM: Authentication Bypass in `/api/public/user/login` Allows Bypass of 2FA and Account Lockout

ChurchCRM is an open-source church management system. In versions prior to 7.2.0, the /api/public/user/login endpoint validates only the username and password before returning the user's API key, bypassing the normal authentication flow that enforces account lockout and two-factor authentication checks. An attacker with knowledge of a user's password can obtain API access even when the account is locked or has 2FA enabled, granting direct access to all protected API endpoints with that user's privileges. This issue has been fixed in version 7.2.0. Note: this issue had a duplicate, GHSA-472m-p3gf-46xp, which has been closed.

N/A

使用候选路径或通道进行的认证绕过

ChurchCRM 安全漏洞

ChurchCRM是ChurchCRM开源的一个为教会打造的开源 CRM 系统。 ChurchCRM 7.2.0之前版本存在安全漏洞，该漏洞源于/api/public/user/login端点仅验证用户名和密码后即返回用户API密钥，绕过了强制执行账户锁定和双因素身份验证检查的正常身份验证流程，可能导致攻击者在账户被锁定或启用2FA时仍获得API访问权限。

N/A

N/A