CVE-2023-38768 in ChurchCRMinfo

Summary

by MITRE • 08/08/2023

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the PropertyID parameter within the /QueryView.php.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 01/20/2026

The SQL injection vulnerability identified as CVE-2023-38768 affects ChurchCRM version 5.0.0 and represents a critical security flaw that enables remote attackers to extract sensitive data from the underlying database system. This vulnerability specifically manifests through the PropertyID parameter in the QueryView.php script, which fails to properly validate or sanitize user input before incorporating it into database queries. The flaw allows an attacker to inject malicious SQL code that can manipulate the database operations and potentially retrieve confidential information stored within the system.

This vulnerability falls under the CWE-89 category of SQL Injection, which is classified as a common weakness in web applications that fail to properly escape or parameterize user inputs before executing database queries. The attack vector is particularly concerning as it requires no authentication to exploit, making it accessible to any remote user who can interact with the web application. The PropertyID parameter serves as the entry point where malicious input can be crafted to manipulate the SQL execution flow and extract data through techniques such as UNION-based attacks or error-based exploitation methods.

The operational impact of this vulnerability extends beyond simple data theft, as it could potentially allow attackers to gain unauthorized access to sensitive church member information including personal details, financial records, and other confidential data that organizations are legally obligated to protect. The affected QueryView.php script likely handles various database queries related to church properties and member management, making the potential data exposure significant for organizations relying on ChurchCRM for their administrative operations. This vulnerability directly impacts the confidentiality and integrity aspects of the CIA triad, potentially leading to privacy violations and regulatory compliance issues under data protection laws such as GDPR or CCPA.

Organizations utilizing ChurchCRM version 5.0.0 should immediately implement mitigations including input validation, parameterized queries, and proper output encoding to prevent SQL injection attacks. The recommended approach involves updating to the latest version of ChurchCRM where this vulnerability has been patched, implementing proper input sanitization techniques, and applying web application firewalls to monitor and block suspicious database query patterns. Additionally, organizations should conduct regular security assessments and implement the principle of least privilege for database access to minimize potential damage from successful exploitation attempts. The vulnerability demonstrates the importance of proper input validation as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1071.004 for application layer protocol manipulation, emphasizing the need for comprehensive security controls across all application layers.

Reservation

07/25/2023

Disclosure

08/08/2023

Moderation

accepted

CPE

ready

EPSS

0.00710

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!