CVE-2023-38764 – CVE-2023-38764 is an SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2023-38764?

CVE-2023-38764 has a CVSS score of 7.5 (HIGH). CVE-2023-38764 is an SQL injection vulnerability in ChurchCRM v5.0.0 that allows remote attackers to extract sensitive database information by manipulating birthmonth and percls parameters in QueryView.php. This affects all ChurchCRM v5.0.0 installations with the vulnerable endpoint exposed. Attackers can potentially access personal data, user credentials, and other sensitive information stored in the database.

📋 TL;DR

CVE-2023-38764 is an SQL injection vulnerability in ChurchCRM v5.0.0 that allows remote attackers to extract sensitive database information by manipulating birthmonth and percls parameters in QueryView.php. This affects all ChurchCRM v5.0.0 installations with the vulnerable endpoint exposed. Attackers can potentially access personal data, user credentials, and other sensitive information stored in the database.

💻 Affected Systems

Products:

ChurchCRM

Versions: v5.0.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects ChurchCRM v5.0.0; earlier versions may have different codebase. The vulnerable QueryView.php endpoint is typically accessible to authenticated users.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of all user data, credentials, financial information, and potential privilege escalation to administrative access.

🟠

Likely Case

Extraction of sensitive personal information (names, addresses, contact details, donation records) and potential credential harvesting from database tables.

🟢

If Mitigated

Limited information disclosure from non-sensitive tables if proper input validation and WAF rules are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires at least basic user authentication. SQL injection techniques are well-documented and automated tools can be adapted for this vulnerability.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/wiki/Security-Advisories

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download latest version from ChurchCRM GitHub releases. 3. Replace existing installation files with patched version. 4. Verify QueryView.php has proper parameter sanitization.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation for birthmonth and percls parameters to only accept expected values

Modify QueryView.php to validate parameters before SQL execution

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns in QueryView.php parameters

Add WAF rule: Detect SQL keywords in birthmonth/percls parameters

🧯 If You Can't Patch

Restrict access to QueryView.php endpoint using IP whitelisting or authentication requirements
Implement database-level protections: Use prepared statements, parameterized queries, and minimal database user privileges

🔍 How to Verify

Check if Vulnerable:

Test QueryView.php with SQL injection payloads in birthmonth parameter: ?birthmonth=1' OR '1'='1

Check Version:

Check ChurchCRM version in admin panel or via /api/system/version endpoint

Verify Fix Applied:

Verify QueryView.php uses parameterized queries and proper input validation for birthmonth/percls parameters

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed parameter validation attempts in QueryView.php
Unexpected database error messages in web logs

Network Indicators:

HTTP requests to QueryView.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source=web_logs AND uri="/QueryView.php" AND (param="birthmonth" OR param="percls") AND (query="UNION" OR query="SELECT" OR query="OR '1'='1'")

📊 Metadata

CVE ID: CVE-2023-38764

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product
https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38764, you might also want to check these: