CVE-2023-38771 – This SQL injection vulnerability in ChurchCRM v... (How to Fix)

Q: What is the severity of CVE-2023-38771?

CVE-2023-38771 has a CVSS score of 7.5 (HIGH). This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the volopp parameter in QueryView.php. All organizations running the vulnerable version are affected, potentially exposing member data, financial records, and other sensitive church information.

📋 TL;DR

This SQL injection vulnerability in ChurchCRM v5.0.0 allows remote attackers to extract sensitive database information by manipulating the volopp parameter in QueryView.php. All organizations running the vulnerable version are affected, potentially exposing member data, financial records, and other sensitive church information.

💻 Affected Systems

Products:

ChurchCRM

Versions: v5.0.0

Operating Systems: All platforms running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: Any ChurchCRM 5.0.0 installation with QueryView.php accessible is vulnerable. The demo site confirms the vulnerability exists in default configuration.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including exfiltration of all sensitive data (member PII, financial records, login credentials), potential privilege escalation, and database manipulation.

🟠

Likely Case

Unauthorized access to sensitive member information, donation records, and other confidential church data stored in the database.

🟢

If Mitigated

Limited or no data exposure if proper input validation and parameterized queries are implemented.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable remotely via web interface without authentication.

🏢 Internal Only: MEDIUM - Internal users could exploit this, but external attackers pose greater risk.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection via GET parameter requires minimal technical skill. Public disclosure includes exploitation details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.0.1 or later

Vendor Advisory: https://github.com/ChurchCRM/CRM/wiki/Security-Advisories

Restart Required: No

Instructions:

1. Backup your ChurchCRM database and files. 2. Download latest version from ChurchCRM GitHub. 3. Replace vulnerable files with patched version. 4. Verify QueryView.php no longer accepts raw SQL in volopp parameter.

🔧 Temporary Workarounds

Web Application Firewall Rule

all

Block or sanitize SQL injection patterns in volopp parameter

ModSecurity rule: SecRule ARGS:volopp "@detectSQLi" "id:1001,phase:2,deny,status:403"

Access Restriction

linux

Temporarily restrict access to QueryView.php

Apache: <Location "/QueryView.php"> Require ip 192.168.1.0/24 </Location>
Nginx: location = /QueryView.php { allow 192.168.1.0/24; deny all; }

🧯 If You Can't Patch

Implement strict input validation for volopp parameter to only allow expected values
Deploy a web application firewall with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Test QueryView.php with SQL injection payload in volopp parameter: /QueryView.php?volopp=1' OR '1'='1

Check Version:

Check ChurchCRM version in admin panel or review version.php file

Verify Fix Applied:

Attempt SQL injection after patch - should return error or sanitized response instead of database data

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web logs
Multiple requests to QueryView.php with special characters in parameters
Database error messages containing SQL syntax

Network Indicators:

HTTP requests with SQL keywords in volopp parameter
Unusual database query patterns from web server IP

SIEM Query:

source="web_logs" AND uri="/QueryView.php" AND (query="*volopp=*'*" OR query="*volopp=*%27*")

📊 Metadata

CVE ID: CVE-2023-38771

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: August 8, 2023

Last Updated: November 21, 2024

🔗 References

https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product
https://churchcrm.io/ Product
https://demo.churchcrm.io/master Broken Link
https://github.com/0x72303074/CVE-Disclosures Third Party Advisory
https://github.com/ChurchCRM/CRM/wiki Product

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-38771, you might also want to check these: