CVE-2019-25450
Dolibarr ERP/CRM 10.0.1 SQL Injection via card.php
Description
Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.
CVSS Vector Breakdown
AV:NAttack VectorAC:LAttack ComplexityPR:NPrivileges RequiredUI:NUser InteractionS:UScopeC:HConfidentialityI:NIntegrityA:NAvailabilityWeaknesses
Affected Products
Exploitability
Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.
View exploit detailsAttack Graph
Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.
MITRE ATT&CK
1 techniqueReferences
Timeline
Unlock Complete Vulnerability Intelligence
Get the full picture for CVE-2019-25450 and every CVE in our database. Create a free account — no credit card required.
Create Free Account