CVE-2019-25707

Received Received - Intake

SQL Injection in eBrigade ERP 4.5 Allows Data Extraction

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: VulnCheck

Description

eBrigade ERP 4.5 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to pdf.php with crafted SQL payloads in the 'id' parameter to extract sensitive database information including table names and schema details.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-12

Last Modified

2026-04-17

Generated

2026-06-16

AI Q&A

2026-04-12

EPSS Evaluated

2026-06-15

NVD

CVE-2019-25707

EUVD

EUVD-2019-20137

Affected Vendors & Products

Vendor	Product	Version / Range
ebrigade	ebrigade	4.5

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2019-25707 is a SQL injection vulnerability in eBrigade ERP version 4.5, specifically in the pdf.php script through the 'id' parameter.

This vulnerability allows authenticated attackers to inject malicious SQL code via the 'id' parameter in GET requests, enabling them to execute arbitrary SQL queries on the backend database.

Exploitation of this flaw can lead to unauthorized extraction of sensitive database information such as table names and schema details.

Impact Analysis

This vulnerability can impact you by allowing an attacker with low privileges to execute arbitrary SQL queries on your database.

As a result, attackers can extract sensitive information from your database, including table names and schema details, potentially leading to data disclosure.

The vulnerability has a CVSS v4 base score of 7.1, indicating a high-severity risk with network attack vector and low attack complexity.

Detection Guidance

This SQL injection vulnerability can be detected by sending crafted GET requests to the vulnerable script pdf.php with malicious SQL payloads in the 'id' parameter and observing the responses for database metadata or error messages.

A typical detection command involves using curl or similar tools to send a GET request with a SQL injection payload, for example:

curl "http://[target]/pdf.php?pdf=DPS&id=1' UNION SELECT 1, CONCAT(table_name,0x3a,column_name), 3 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=database() LIMIT 0,1-- -"

This command attempts to extract database schema information by injecting a UNION SELECT statement into the 'id' parameter. If the response contains concatenated table or column names, it indicates the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable pdf.php script to trusted users only, as the vulnerability requires authentication.

Additionally, applying input validation and sanitization on the 'id' parameter to prevent SQL injection is critical.

If available, update or patch the eBrigade ERP software to a version where this vulnerability is fixed.

As a temporary measure, consider implementing Web Application Firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the 'id' parameter in pdf.php.

Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary SQL queries and extract sensitive database information, including table names and schema details. This unauthorized data disclosure could lead to exposure of personal or sensitive information stored in the database.

Such exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

However, the provided context and resources do not explicitly discuss the direct impact of this vulnerability on compliance with these standards.

Hi! I’m here to help you understand CVE-2019-25707. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25707

SQL Injection in eBrigade ERP 4.5 Allows Data Extraction

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart