CVE-2021-41965 – This SQL injection vulnerability in ChurchCRM a... (How to Fix)

Q: What is the severity of CVE-2021-41965?

CVE-2021-41965 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in ChurchCRM allows authenticated attackers to execute arbitrary SQL commands through unsanitized input fields (EN_tyid, theID, EID) during edit operations. It affects ChurchCRM versions 2.0.0 through 4.4.5, potentially compromising the entire database. Any organization using vulnerable ChurchCRM versions with authenticated user access is at risk.

📋 TL;DR

This SQL injection vulnerability in ChurchCRM allows authenticated attackers to execute arbitrary SQL commands through unsanitized input fields (EN_tyid, theID, EID) during edit operations. It affects ChurchCRM versions 2.0.0 through 4.4.5, potentially compromising the entire database. Any organization using vulnerable ChurchCRM versions with authenticated user access is at risk.

💻 Affected Systems

Products:

ChurchCRM

Versions: 2.0.0 to 4.4.5

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access; affects all installations within the version range regardless of configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Data exfiltration of sensitive church member information, financial records, and personal data; potential unauthorized access to administrative functions.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access; SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.4.6 and later

Vendor Advisory: https://github.com/ChurchCRM/CRM/releases

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download ChurchCRM version 4.4.6 or later from the official repository. 3. Replace the existing installation with the updated version. 4. Verify the update completed successfully.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation for EN_tyid, theID, and EID parameters to reject non-numeric values

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns in POST/PUT requests to edit endpoints

🧯 If You Can't Patch

Implement strict database user privilege separation: ensure ChurchCRM database user has only necessary permissions
Deploy network segmentation: isolate ChurchCRM server from other critical systems and implement strict firewall rules

🔍 How to Verify

Check if Vulnerable:

Check ChurchCRM version in admin panel or via version file; if version is between 2.0.0 and 4.4.5 inclusive, system is vulnerable.

Check Version:

Check /Include/Version.php file or admin dashboard for version information

Verify Fix Applied:

Confirm ChurchCRM version is 4.4.6 or later; test edit functionality with malformed input to ensure proper error handling.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed edit attempts with malformed parameters
Database queries containing unusual patterns or UNION statements

Network Indicators:

HTTP POST/PUT requests to edit endpoints containing SQL keywords in parameters
Unusual database connection patterns from application server

SIEM Query:

source="churchcrm.logs" AND ("SQL syntax" OR "UNION" OR "SELECT *" OR "DROP TABLE")

📊 Metadata

CVE ID: CVE-2021-41965

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 15, 2022

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://www.alexbilz.com/post/2022-05-14-cve-2021-41965/ Exploit,Third Party Advisory
https://churchcrm.io/ Product
https://www.alexbilz.com/post/2022-05-14-cve-2021-41965/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41965, you might also want to check these: