CVE-2023-38769 – This SQL injection vulnerability in ChurchCRM v... (How to Fix)

Q: What is the severity of CVE-2023-38769?

CVE-2023-38769 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the searchstring and searchwhat parameters in QueryView.php. This can lead to unauthorized access to sensitive database information. All ChurchCRM v5.0.0 installations with QueryView.php accessible are affected.

📋 TL;DR

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to execute arbitrary SQL commands via the searchstring and searchwhat parameters in QueryView.php. This can lead to unauthorized access to sensitive database information. All ChurchCRM v5.0.0 installations with QueryView.php accessible are affected.

💻 Affected Systems

Products:

ChurchCRM

Versions: v5.0.0

Operating Systems: Any OS running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All default installations of ChurchCRM v5.0.0 are vulnerable. The QueryView.php endpoint must be accessible.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of all user credentials, personal data, financial records, and potential system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive user data, configuration information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited or no data exposure if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable via web interface without authentication.

🏢 Internal Only: HIGH - Even internal systems are vulnerable to authenticated or unauthenticated attackers.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameters is well-understood and easily weaponized. Public disclosure includes technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/wiki

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download the latest version from ChurchCRM repository. 3. Replace vulnerable files with patched versions. 4. Verify QueryView.php uses parameterized queries.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize SQL injection patterns in searchstring and searchwhat parameters

WAF specific - configure rules to block SQL injection patterns in GET parameters

Access Restriction

linux

Restrict access to QueryView.php endpoint

# Apache: RewriteRule ^QueryView\.php$ - [F]
# Nginx: location ~ QueryView\.php { deny all; }

🧯 If You Can't Patch

Implement strict input validation for searchstring and searchwhat parameters
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test QueryView.php with SQL injection payloads in searchstring/searchwhat parameters: ?searchstring=test' OR '1'='1

Check Version:

Check ChurchCRM version in admin panel or via git describe --tags

Verify Fix Applied:

Verify QueryView.php no longer executes SQL injection payloads and returns proper error handling

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed query attempts with special characters
Access to QueryView.php with suspicious parameters

Network Indicators:

HTTP requests to QueryView.php containing SQL keywords in parameters
Unusual database query patterns from web server

SIEM Query:

web.url="*QueryView.php*" AND (web.param="*searchstring*" OR web.param="*searchwhat*") AND web.param="*' OR *"

📊 Metadata

CVE ID: CVE-2023-38769

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product
https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38769, you might also want to check these: