Platform
php
Component
dolibarr
Fixed in
8.0.5
8.0.5
CVE-2019-25710 describes a SQL injection vulnerability discovered in Dolibarr ERP-CRM. This flaw allows attackers to inject arbitrary SQL queries, potentially leading to unauthorized access to sensitive data. The vulnerability impacts Dolibarr ERP-CRM version 8.0.4. A fix is available through upgrading to a patched version.
The SQL injection vulnerability in Dolibarr ERP-CRM allows an attacker to manipulate database queries through the rowid parameter in the dict.php endpoint. Successful exploitation could enable attackers to extract sensitive information such as user credentials, financial data, customer details, and other confidential business records. Depending on database permissions, an attacker might even be able to modify or delete data, leading to significant operational disruption and data loss. The attack leverages error-based SQL injection techniques, making it potentially easier to exploit than blind SQL injection.
CVE-2019-25710 was published on 2026-04-12. No public proof-of-concept (PoC) code has been widely reported, but the vulnerability's nature makes it likely that exploits could be developed. The vulnerability's severity and the potential for data exfiltration warrant prompt remediation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.03% (8% percentile)
CVSS Vector
The primary mitigation for CVE-2019-25710 is to upgrade Dolibarr ERP-CRM to a patched version. Consult the Dolibarr documentation for the latest recommended version and upgrade instructions. If upgrading immediately is not feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL syntax in the rowid parameter of the dict.php endpoint. Input validation and sanitization on the server-side can also help prevent SQL injection attacks. Regularly review database user permissions to minimize the potential impact of a successful exploit.
Update Dolibarr ERP-CRM to a patched version. Refer to the Dolibarr website for information on available updates and migration instructions. Ensure you back up your database before applying any updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-25710 is a SQL injection vulnerability in Dolibarr ERP-CRM version 8.0.4, allowing attackers to execute arbitrary SQL queries via the rowid parameter in dict.php.
If you are running Dolibarr ERP-CRM version 8.0.4, you are potentially affected by this vulnerability and should upgrade immediately.
The recommended fix is to upgrade Dolibarr ERP-CRM to a patched version. Consult the official Dolibarr documentation for upgrade instructions.
While no widespread exploitation has been publicly confirmed, the vulnerability's nature makes it a potential target for attackers.
Refer to the official Dolibarr security advisories on their website for detailed information and updates regarding CVE-2019-25710.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.