CVE-2023-38765 in ChurchCRM
Summary
by MITRE • 08/08/2023
SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the membermonth parameter within the /QueryView.php.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 01/20/2026
The SQL injection vulnerability identified as CVE-2023-38765 affects ChurchCRM version 5.0.0 and represents a critical security flaw that enables remote attackers to extract sensitive data from the underlying database system. This vulnerability specifically manifests through the membermonth parameter in the QueryView.php script, which fails to properly sanitize user input before incorporating it into database queries. The flaw resides in the application's failure to implement proper input validation and output encoding mechanisms, creating an opening for malicious actors to manipulate database queries through crafted input values.
The technical implementation of this vulnerability follows standard SQL injection patterns where the membermonth parameter serves as an entry point for attackers to inject malicious SQL code. When a user submits data through this parameter, the application directly incorporates the input into a SQL query without adequate sanitization or parameterization. This allows threat actors to construct malicious SQL statements that can bypass authentication mechanisms, extract confidential information, modify database records, or even execute administrative commands on the database server. The vulnerability is classified as a CWE-89 SQL Injection weakness, which is categorized under the Common Weakness Enumeration framework as a fundamental flaw in data validation and query construction practices.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with potential access to sensitive personal information of church members including but not limited to contact details, membership records, financial data, and other confidential personal information. The remote nature of the attack means that threat actors can exploit this vulnerability from anywhere on the internet without requiring physical access to the system or prior authentication. This makes the attack surface particularly wide and increases the risk of widespread data exposure. The vulnerability also aligns with ATT&CK technique T1213.002 Data from Information Repositories, as it enables adversaries to access and extract data from database systems. Organizations using ChurchCRM version 5.0.0 face significant risk of data breaches and potential compliance violations under data protection regulations such as GDPR or CCPA, given the sensitive nature of the information that could be accessed through this vulnerability.
Mitigation strategies for CVE-2023-38765 should prioritize immediate application of the vendor-provided patch or upgrade to a non-vulnerable version of ChurchCRM. In the interim, organizations should implement input validation measures at the application level, including parameterized queries and prepared statements to prevent SQL injection attacks. Network-level protections such as web application firewalls and intrusion detection systems can provide additional layers of defense. Security teams should also conduct thorough input sanitization reviews and implement proper output encoding practices. Regular security assessments and penetration testing should be performed to identify and remediate similar vulnerabilities across the organization's software ecosystem. The vulnerability demonstrates the critical importance of maintaining up-to-date software versions and implementing robust security practices to prevent unauthorized access to sensitive data repositories.