CVE-2019-25450 — SQL Injection in ERP CRM

CWE-89 — SQL Injection4 documents4 sources

Severity

7.1HIGHNVD

EPSS

0.0%

top 85.82%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Dolibarr ERP CRM

Timeline

PublishedFeb 22

Description

Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

▶CVEListV5dolibarr/dolibarr_erp_crm10.0.1

▶NVDdolibarr/dolibarr_erp_crm10.0.1

🔴Vulnerability Details

GHSA

GHSA-5fc6-42f5-w7cm: Dolibarr ERP/CRM 10↗2026-02-22

▶

OSV

CVE-2019-25450: Dolibarr ERP/CRM 10↗2026-02-22

▶

CVEList

Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php↗2026-02-22

▶