CVE-2023-38762 – A SQL injection vulnerability in ChurchCRM v5.0... (How to Fix)

Q: What is the severity of CVE-2023-38762?

CVE-2023-38762 has a CVSS score of 7.5 (HIGH). A SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the friendmonths parameter in QueryView.php. This affects all ChurchCRM v5.0.0 installations with the vulnerable component exposed. Attackers can potentially access user data, configuration details, and other sensitive information stored in the database.

📋 TL;DR

A SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the friendmonths parameter in QueryView.php. This affects all ChurchCRM v5.0.0 installations with the vulnerable component exposed. Attackers can potentially access user data, configuration details, and other sensitive information stored in the database.

💻 Affected Systems

Products:

ChurchCRM

Versions: v5.0.0

Operating Systems: All platforms running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All ChurchCRM v5.0.0 installations with QueryView.php accessible are vulnerable. The demo site at demo.churchcrm.io/master confirms the vulnerability exists in default configurations.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including user credentials, personal information, financial data, and administrative access leading to full system takeover.

🟠

Likely Case

Extraction of sensitive user data (names, emails, addresses) and configuration information that could enable further attacks.

🟢

If Mitigated

Limited information disclosure if database permissions are properly restricted and input validation is enforced at other layers.

🌐 Internet-Facing: HIGH - The vulnerability is in a web application component accessible remotely without authentication.

🏢 Internal Only: MEDIUM - Internal attackers could exploit this to escalate privileges or access sensitive data they shouldn't have.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The specific parameter and endpoint are documented in CVE disclosures, making exploitation straightforward for attackers with basic SQLi knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/wiki

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and configuration. 2. Download the latest version from churchcrm.io. 3. Replace the vulnerable QueryView.php file with the patched version. 4. Verify the application functions correctly after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize the friendmonths parameter before processing

Modify QueryView.php to add: $friendmonths = filter_var($_GET['friendmonths'], FILTER_SANITIZE_NUMBER_INT);

Access Restriction

all

Restrict access to QueryView.php to authenticated users only

Add authentication check at the beginning of QueryView.php: if (!isset($_SESSION['user'])) { header('Location: /login.php'); exit(); }

🧯 If You Can't Patch

Implement a web application firewall (WAF) with SQL injection rules to block exploitation attempts
Disable or restrict access to the QueryView.php endpoint through web server configuration

🔍 How to Verify

Check if Vulnerable:

Test by accessing /QueryView.php?friendmonths=1' OR '1'='1 and checking for SQL error messages or unexpected data returns

Check Version:

Check ChurchCRM version in admin panel or review version.php file

Verify Fix Applied:

Attempt the same SQL injection test after patching - should receive proper error handling or no data leakage

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple requests to QueryView.php with suspicious parameters
Database queries with unexpected UNION or SELECT statements

Network Indicators:

HTTP requests containing SQL keywords (UNION, SELECT, OR) in friendmonths parameter
Abnormal traffic patterns to QueryView.php endpoint

SIEM Query:

source="web_logs" AND uri_path="/QueryView.php" AND (query_string="*friendmonths=*'*" OR query_string="*friendmonths=*%27*")

📊 Metadata

CVE ID: CVE-2023-38762

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product
https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38762, you might also want to check these: