CVE-2019-25669
Received Received - Intake
SQL Injection in qdPM 9.1 Allows Database Data Extraction

Publication date: 2026-04-05

Last updated on: 2026-04-09

Assigner: VulnCheck

Description
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors and extract database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-05
Last Modified
2026-04-09
Generated
2026-05-06
AI Q&A
2026-04-06
EPSS Evaluated
2026-05-05
NVD
CVE-2019-25669
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qdpm qdpm to 9.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by monitoring for POST requests to the users endpoint that include the search_by_extrafields[] parameter with suspicious or malformed SQL code.

Specifically, sending crafted POST requests with various SQL injection payloads in the search_by_extrafields[] parameter and observing for SQL syntax errors or abnormal database responses can help identify the vulnerability.

However, no specific detection commands or tools are provided in the available information.


Can you explain this vulnerability to me?

The vulnerability in qdPM 9.1 is an SQL injection issue. It allows attackers to manipulate database queries by injecting malicious SQL code through the search_by_extrafields[] parameter. By sending specially crafted POST requests to the users endpoint with harmful search_by_extrafields[] values, attackers can cause SQL syntax errors and potentially extract sensitive information from the database.


How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can exploit the SQL injection to extract confidential data, which can lead to data breaches, loss of data integrity, and exposure of private user information. The vulnerability has a high severity score, indicating a significant risk if exploited.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps are not explicitly detailed in the provided information.

Generally, to mitigate SQL injection vulnerabilities like this one, it is recommended to validate and sanitize all user inputs, especially the search_by_extrafields[] parameter, and use parameterized queries or prepared statements.

Additionally, restricting access to the affected endpoint and applying any available patches or updates from the vendor are advisable.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart