CVE-2019-25707
SQL Injection in eBrigade ERP 4.5 Allows Data Extraction
Publication date: 2026-04-12
Last updated on: 2026-04-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ebrigade | ebrigade | 4.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25707 is a SQL injection vulnerability in eBrigade ERP version 4.5, specifically in the pdf.php script through the 'id' parameter.
This vulnerability allows authenticated attackers to inject malicious SQL code via the 'id' parameter in GET requests, enabling them to execute arbitrary SQL queries on the backend database.
Exploitation of this flaw can lead to unauthorized extraction of sensitive database information such as table names and schema details.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker with low privileges to execute arbitrary SQL queries on your database.
As a result, attackers can extract sensitive information from your database, including table names and schema details, potentially leading to data disclosure.
The vulnerability has a CVSS v4 base score of 7.1, indicating a high-severity risk with network attack vector and low attack complexity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL injection vulnerability can be detected by sending crafted GET requests to the vulnerable script pdf.php with malicious SQL payloads in the 'id' parameter and observing the responses for database metadata or error messages.
A typical detection command involves using curl or similar tools to send a GET request with a SQL injection payload, for example:
- curl "http://[target]/pdf.php?pdf=DPS&id=1' UNION SELECT 1, CONCAT(table_name,0x3a,column_name), 3 FROM INFORMATION_SCHEMA.COLUMNS WHERE table_schema=database() LIMIT 0,1-- -"
This command attempts to extract database schema information by injecting a UNION SELECT statement into the 'id' parameter. If the response contains concatenated table or column names, it indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable pdf.php script to trusted users only, as the vulnerability requires authentication.
Additionally, applying input validation and sanitization on the 'id' parameter to prevent SQL injection is critical.
If available, update or patch the eBrigade ERP software to a version where this vulnerability is fixed.
As a temporary measure, consider implementing Web Application Firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the 'id' parameter in pdf.php.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated attackers to execute arbitrary SQL queries and extract sensitive database information, including table names and schema details. This unauthorized data disclosure could lead to exposure of personal or sensitive information stored in the database.
Such exposure of sensitive data may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.
However, the provided context and resources do not explicitly discuss the direct impact of this vulnerability on compliance with these standards.