CVE-2023-24684 – ChurchCRM versions 4.5.3 and below contain a SQ... (How to Fix)

Q: What is the severity of CVE-2023-24684?

CVE-2023-24684 has a CVSS score of 7.2 (HIGH). ChurchCRM versions 4.5.3 and below contain a SQL injection vulnerability in the GetText.php file via the EID parameter. This allows attackers to execute arbitrary SQL commands on the database. All ChurchCRM installations running vulnerable versions are affected.

📋 TL;DR

ChurchCRM versions 4.5.3 and below contain a SQL injection vulnerability in the GetText.php file via the EID parameter. This allows attackers to execute arbitrary SQL commands on the database. All ChurchCRM installations running vulnerable versions are affected.

💻 Affected Systems

Products:

ChurchCRM

Versions: 4.5.3 and all earlier versions

Operating Systems: All operating systems running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of affected versions are vulnerable. No special configuration required for exploitation.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution through database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information (user credentials, personal data), and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH - ChurchCRM is typically deployed as a web application accessible over the internet, making it directly exposed to attackers.

🏢 Internal Only: MEDIUM - Even internal deployments face risk from insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameter is straightforward to exploit. Public proof-of-concept exists in the referenced advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.5.4 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download the latest version from the official GitHub repository. 3. Replace the vulnerable GetText.php file with the patched version. 4. Verify the fix by testing the EID parameter functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the EID parameter before processing

Modify GetText.php to validate EID parameter as integer: if(!is_numeric($_GET['EID'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns in the EID parameter

Add WAF rule to block requests containing SQL keywords in EID parameter: 'SELECT', 'UNION', 'INSERT', 'UPDATE', 'DELETE', 'DROP', '--', '#'

🧯 If You Can't Patch

Implement strict input validation for all user inputs, particularly the EID parameter
Restrict database user permissions to minimum required privileges
Deploy a web application firewall with SQL injection protection rules
Monitor logs for suspicious SQL queries or error messages

🔍 How to Verify

Check if Vulnerable:

Test the GetText.php endpoint with SQL injection payloads in the EID parameter, such as: /GetText.php?EID=1' OR '1'='1

Check Version:

Check ChurchCRM version in the admin dashboard or review the version.php file

Verify Fix Applied:

Test with the same SQL injection payloads and verify they are rejected or properly sanitized without executing SQL commands

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in application logs
Unusual database queries from web server IP
Multiple failed parameter validation attempts

Network Indicators:

HTTP requests with SQL keywords in EID parameter
Abnormal response patterns from GetText.php endpoint

SIEM Query:

source="web_logs" AND uri="/GetText.php" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2023-24684

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: February 9, 2023

Last Updated: March 24, 2025

🔗 References

http://churchcrm.io/ Product
https://github.com/ChurchCRM/CRM Product
https://github.com/blakduk/Advisories/blob/main/ChurchCRM/README.md Exploit,Third Party Advisory
http://churchcrm.io/ Product
https://github.com/ChurchCRM/CRM Product
https://github.com/blakduk/Advisories/blob/main/ChurchCRM/README.md Exploit,Third Party Advisory
https://github.com/ChurchCRM/CRM/issues/6440

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-24684, you might also want to check these: