ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorizatio…

ChurchCRM, an open-source church management system, contains an authorization bypass vulnerability prior to version 7.1.0. Authenticated API users can modify any family record's state without proper authorization by changing the familyId parameter in requests. The vulnerability affects multiple endpoints including family verification, activation, and geocoding functions. Users can deactivate/reactivate arbitrary families, spam verification emails, and mark families as verified without having the required EditRecords privilege. This represents a broken access control issue that allows privilege escalation within the application. The vulnerability has been fixed in version 7.1.0.