CVE-2019-25710
Received Received - Intake
SQL Injection in Dolibarr 8.0.4 admin dict.php Endpoint

Publication date: 2026-04-12

Last updated on: 2026-04-17

Assigner: VulnCheck

Description
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25710
EUVD
EUVD-2019-20143
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dolibarr dolibarr_erp/crm to 8.0.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25710 is an SQL injection vulnerability found in Dolibarr ERP-CRM version 8.0.4 and earlier. It exists in the 'rowid' parameter of the admin dict.php endpoint. An attacker can inject malicious SQL code through this parameter using error-based SQL injection techniques.

This injection allows the attacker to execute arbitrary SQL queries on the database, potentially extracting sensitive information by causing the database to return error messages containing the injected data.

Impact Analysis

This vulnerability can have a significant impact as it allows remote attackers to execute arbitrary SQL queries without authentication or user interaction.

  • Attackers can extract sensitive database information, compromising confidentiality.
  • The integrity of the data can be partially affected, although the main impact is on confidentiality.
  • Since the attack can be performed remotely and without any privileges, it poses a high risk to affected systems.
Detection Guidance

This SQL injection vulnerability can be detected by testing the 'rowid' POST parameter on the admin dict.php endpoint for injection flaws using error-based SQL injection payloads.

A specific test command involves sending a POST request to the vulnerable endpoint with a payload designed to trigger an SQL error, such as the following payload in the 'rowid' parameter:

  • rowid=\%' AND EXTRACTVALUE(6385,CONCAT(0x5c,0x716b717871,(SELECT (ELT(6385=6385,1))),0x7176787171)) AND '%'='

This payload uses the EXTRACTVALUE function to cause an error that reveals whether the injection is successful. You can use tools like curl or Burp Suite to send such POST requests to the URL endpoint `/doli/htdocs/admin/dict.php?id=16` and observe the responses for SQL error messages indicating vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the vulnerable admin dict.php endpoint to trusted users only.
  • Apply input validation and sanitization on the 'rowid' POST parameter to prevent SQL injection.
  • If available, upgrade Dolibarr ERP-CRM to a version later than 8.0.4 where this vulnerability is fixed.
  • Use web application firewalls (WAF) to detect and block malicious SQL injection attempts targeting this parameter.

Since the vulnerability allows remote exploitation without authentication, immediate access control and patching are critical to prevent data leakage.

Compliance Impact

The SQL injection vulnerability in Dolibarr ERP-CRM 8.0.4 allows attackers to extract sensitive database information by exploiting the 'rowid' parameter. This unauthorized access to sensitive data can lead to breaches of confidentiality.

Such exposure of sensitive information can negatively impact compliance with data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access.

Therefore, this vulnerability poses a risk to maintaining compliance with these regulations due to the potential for data leakage and unauthorized data exposure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25710. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart