# 🛡️ ChurchCRM 6.4.0 — Critical Security Release

> *This release contains critical security fixes. All users should upgrade immediately.*

Released: December 2025

---

## ⚠️ Critical Security Fixes

This release patches **four critical vulnerabilities** discovered during a security audit. All users on 6.x should update to 6.4.0 without delay.

---

### 🔴 SQL Injection — Event Editor (GHSA-wxcc-gvfv-56fg)

A SQL injection vulnerability in the Event Editor allowed a user with event management access to execute arbitrary SQL queries. Fixed by replacing the vulnerable query with parameterized Propel ORM calls.

### 🔴 SQL Injection — Query View (GHSA-qc2c-qmw4-52fp)

A SQL injection vulnerability in `QueryView.php` allowed crafted input to escape the query context. Fixed with proper parameterization.

### 🔴 SQL Injection — Cart to Family (CartToFamily.php)

SQL injection vulnerability fixed and the affected code migrated to Propel ORM.

### 🔴 Stored XSS — Group Role Names

A stored cross-site scripting vulnerability in group role names (reported by lukasz-rybak) allowed injected scripts to execute in administrator sessions. Fixed with proper output escaping.

---

## 🛡️ Hardening

Beyond the critical fixes, this release adds several defensive improvements:

- **All `strip_tags()` calls replaced** with `InputUtils::sanitizeText()` — consistent, context-aware sanitization throughout the codebase
- **MIME type validation** added to database restore file upload — prevents upload of non-database files
- **Database credential disclosure** prevented — error messages no longer expose connection details
- **CSRF protection** added to system log operations

---

## 🔒 Locale & URL Security

- **Locale support UI hardened** (issue #2770) — locale selection no longer vulnerable to parameter injection
- **URL validation** improved in the setup wizard with a reusable `URLValidator` class — prevents invalid base URLs from being saved
- **Locale detection** added to setup wizard and debug page for easier first-time configuration

---

## ⚙️ System Improvements

- System config API moved from `/api/system` to `/admin/api/system` and modernized with consistent patterns
- **Upgrade service** refactored into a reusable `UpgradeAPIService` — eliminates duplicated upgrade logic
- **Fresh release data** ensured on upgrade checks — previously cached data could show stale update availability
- **Comprehensive upgrade logging** added for diagnosing SHA file check failures
- Added links to System Logs from the admin dashboard

---

## 🌍 Localization

- Locale detection UX improved (issue #2770)
- Locale strings wrapped with `i18next.t()` for proper internationalization
- Locale updated from POEditor

---

**Full Changelog**: https://github.com/ChurchCRM/CRM/compare/6.3.0...6.4.0
