CVE-2024-53438 – CVE-2024-53438 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2024-53438?

CVE-2024-53438 has a CVSS score of 9.8 (CRITICAL). CVE-2024-53438 is a critical SQL injection vulnerability in ChurchCRM 5.7.0 that allows attackers to execute arbitrary SQL commands by manipulating the 'Event' parameter. This affects all ChurchCRM 5.7.0 installations with the vulnerable EventAttendance.php component, potentially leading to complete database compromise.

📋 TL;DR

CVE-2024-53438 is a critical SQL injection vulnerability in ChurchCRM 5.7.0 that allows attackers to execute arbitrary SQL commands by manipulating the 'Event' parameter. This affects all ChurchCRM 5.7.0 installations with the vulnerable EventAttendance.php component, potentially leading to complete database compromise.

💻 Affected Systems

Products:

ChurchCRM

Versions: 5.7.0

Operating Systems: All platforms running ChurchCRM

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of ChurchCRM 5.7.0 are vulnerable. The vulnerability is in EventAttendance.php which is part of the core functionality.

📦 What is this software?

Churchcrm by Churchcrm

View all CVEs affecting Churchcrm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential authentication bypass leading to administrative access.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web interface and ChurchCRM is typically internet-facing for member access.

🏢 Internal Only: MEDIUM - Even internal deployments are vulnerable to insider threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it involves direct parameter manipulation without authentication requirements. Public GitHub references demonstrate the issue.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.1 or later

Vendor Advisory: https://github.com/advisories/GHSA-gr5x-8j97-qq23

Restart Required: Yes

Instructions:

1. Backup your ChurchCRM database and files. 2. Download the latest version from the official ChurchCRM repository. 3. Replace the vulnerable EventAttendance.php file with the patched version. 4. Restart your web server. 5. Verify the fix by testing the EventAttendance functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'Event' parameter before processing

# Add validation in EventAttendance.php before SQL query execution
# Example: if (!is_numeric($_GET['Event'])) { die('Invalid input'); }

Web Application Firewall Rule

linux

Block SQL injection patterns in the 'Event' parameter

# ModSecurity rule: SecRule ARGS:Event "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

Implement strict input validation for all Event parameter inputs
Deploy a web application firewall (WAF) with SQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check if EventAttendance.php exists and contains unsanitized $_GET['Event'] parameter in SQL queries. Test with payload: ' OR '1'='1 in Event parameter.

Check Version:

Check ChurchCRM version in admin panel or examine version.php file

Verify Fix Applied:

Verify EventAttendance.php uses parameterized queries or proper input validation. Test with SQL injection payloads to confirm they are blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts after EventAttendance access
SQL syntax errors in web server logs

Network Indicators:

Unusual database connections from web server
Large data transfers from database server

SIEM Query:

source="web_logs" AND ("EventAttendance" AND ("UNION" OR "SELECT" OR "INSERT" OR "DELETE" OR "DROP"))

📊 Metadata

CVE ID: CVE-2024-53438

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 22, 2024

Last Updated: March 28, 2025

🔗 References

https://github.com/ChurchCRM/CRM/issues/6988 Issue Tracking,Vendor Advisory
https://github.com/advisories/GHSA-gr5x-8j97-qq23 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-53438, you might also want to check these: