CVE-2021-32691: 
JavaScript vulnerability analysis and mitigation

Apollos Apps, an open source platform for launching church-related apps, contained a critical authentication vulnerability in versions prior to 2.20.0. The vulnerability allowed new user registrations to access anyone's account by only knowing their basic profile information like name, birthday, and gender. This affected all app functionality including authenticated links to Rock-based webpages such as giving and events (NVD).

The vulnerability was identified with CVE-2021-32691 and received a CVSS v3.1 score of 9.8 (CRITICAL) and CVSS v2.0 score of 7.5 (HIGH). The issue stemmed from an auto-merging functionality during user registration that incorrectly matched and merged user profiles based on basic profile information (NVD).

The vulnerability allowed unauthorized access to any user's account within the app ecosystem, including access to authenticated features and Rock-based webpages for giving and events. This could potentially lead to unauthorized financial transactions and access to sensitive personal information (NVD).

The vulnerability was patched in version 2.20.0 of Apollos Apps. As a workaround for earlier versions, administrators can patch their server by overriding the 'create' data source method on the 'People' class. The fix involved turning off the auto-merging functionality for new people and implementing a two-step process of creating and then patching user profiles (GitHub Commit).