CVE-2023-38769 in ChurchCRMinfo

Summary

by MITRE • 08/08/2023

SQL injection vulnerability in ChurchCRM v.5.0.0 allows a remote attacker to obtain sensitive information via the searchstring and searchwhat parameters within the /QueryView.php.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 01/20/2026

The SQL injection vulnerability identified as CVE-2023-38769 affects ChurchCRM version 5.0.0 and represents a critical security flaw that enables remote attackers to execute unauthorized database queries. This vulnerability specifically targets the QueryView.php endpoint where user input is improperly sanitized before being incorporated into SQL statements. The attack vector exploits the searchstring and searchwhat parameters which are directly used in database operations without adequate input validation or parameterization mechanisms. The vulnerability falls under CWE-89 which categorizes SQL injection flaws as weaknesses that occur when application code incorporates user-provided data into SQL queries without proper sanitization or escaping.

The technical implementation of this vulnerability allows an attacker to manipulate the database query structure by injecting malicious SQL code through the vulnerable parameters. When a user submits search requests through the web interface, the application processes these inputs directly into SQL commands without proper input filtering or prepared statement usage. This creates an opportunity for attackers to extract sensitive data such as user credentials, personal information, or system configuration details from the underlying database. The impact extends beyond simple data theft to potentially enabling further attack vectors including privilege escalation or complete system compromise. The vulnerability demonstrates poor input handling practices that align with ATT&CK technique T1071.004 for application layer protocol manipulation and T1213.002 for data from information repositories.

Operational impact of this vulnerability is significant for organizations using ChurchCRM as their primary church management system. The remote nature of the attack means that threat actors can exploit this flaw from anywhere on the internet without requiring physical access or prior authentication. Organizations may experience unauthorized data access, potential data breaches, and compliance violations if sensitive personal information of church members is compromised. The vulnerability affects the integrity and confidentiality of the system, potentially exposing member records, financial information, and other sensitive data. Additionally, the compromise of such systems can lead to reputational damage and legal consequences under data protection regulations. The attack requires minimal technical expertise to exploit, making it particularly dangerous for organizations with limited security resources.

Mitigation strategies for this vulnerability should include immediate implementation of parameterized queries or prepared statements to prevent SQL injection attacks. Organizations should apply the vendor-provided patch or upgrade to a version that addresses this vulnerability. Input validation and sanitization should be implemented at multiple layers including application firewall rules that filter out suspicious characters and patterns. Network segmentation and access controls should limit exposure of the vulnerable application to only authorized users. Regular security testing including automated vulnerability scanning and manual penetration testing should be conducted to identify similar issues. The implementation of web application firewalls and intrusion detection systems can help detect and block exploitation attempts. Additionally, security awareness training for administrators and users should emphasize the importance of keeping software updated and recognizing potential attack patterns. Organizations should also implement proper logging and monitoring to detect unauthorized access attempts and maintain audit trails for forensic analysis. The vulnerability highlights the critical need for secure coding practices and regular security assessments in web applications.

Reservation

07/25/2023

Disclosure

08/08/2023

Moderation

accepted

CPE

ready

EPSS

0.00710

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!