CVE-2019-25450 – Dolibarr ERP/CRM 10.0.1 contains SQL injection ... (How to Fix)

Q: What is the severity of CVE-2019-25450?

CVE-2019-25450 has a CVSS score of 7.5 (HIGH). Dolibarr ERP/CRM 10.0.1 contains SQL injection vulnerabilities in card.php endpoints that allow authenticated attackers to inject malicious SQL through POST parameters. This enables attackers to extract sensitive database information using blind SQL injection techniques. Organizations running vulnerable Dolibarr versions with authenticated user access are affected.

📋 TL;DR

Dolibarr ERP/CRM 10.0.1 contains SQL injection vulnerabilities in card.php endpoints that allow authenticated attackers to inject malicious SQL through POST parameters. This enables attackers to extract sensitive database information using blind SQL injection techniques. Organizations running vulnerable Dolibarr versions with authenticated user access are affected.

💻 Affected Systems

Products:

Dolibarr ERP/CRM

Versions: 10.0.1

Operating Systems: All platforms running Dolibarr

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated user access to exploit. All installations with default configuration are vulnerable.

📦 What is this software?

Dolibarr Erp\/crm by Dolibarr

View all CVEs affecting Dolibarr Erp\/crm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of sensitive business data, customer information, financial records, and user credentials leading to data breach and potential system takeover.

🟠

Likely Case

Unauthorized access to sensitive business data, customer information, and potential privilege escalation within the Dolibarr system.

🟢

If Mitigated

Limited impact due to proper input validation, parameterized queries, and restricted database permissions preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code is publicly available and requires authenticated access. Multiple injection points exist in card.php endpoints.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 10.0.2 and later

Vendor Advisory: https://www.dolibarr.org/forum/dolibarr-news/security-advisory-dolibarr-10-0-2-released

Restart Required: No

Instructions:

1. Backup your Dolibarr database and files. 2. Download Dolibarr 10.0.2 or later from official website. 3. Replace vulnerable files with patched versions. 4. Verify all customizations are preserved. 5. Test application functionality.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for POST parameters actioncode, demand_reason_id, and availability_id to allow only expected values.

Modify card.php to add parameter validation before database queries

Web Application Firewall Rules

all

Deploy WAF rules to block SQL injection patterns targeting card.php endpoints.

Add WAF rules to detect and block SQL injection attempts in POST parameters

🧯 If You Can't Patch

Implement strict network segmentation to isolate Dolibarr from sensitive systems
Enforce principle of least privilege for database accounts used by Dolibarr

🔍 How to Verify

Check if Vulnerable:

Check if running Dolibarr version 10.0.1 by examining version files or admin interface. Review card.php for lack of parameterized queries on affected parameters.

Check Version:

Check includes/main.inc.php or admin/about.php for version information

Verify Fix Applied:

Verify version is 10.0.2 or later. Test that SQL injection attempts on actioncode, demand_reason_id, and availability_id parameters are properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple failed login attempts followed by card.php access
Unusual database query patterns from application user

Network Indicators:

POST requests to card.php with SQL keywords in parameters
Unusual outbound database connections from application server

SIEM Query:

source="dolibarr.log" AND ("SQL syntax" OR "You have an error in your SQL syntax" OR "actioncode=" AND (SELECT OR UNION))

📊 Metadata

CVE ID: CVE-2019-25450

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: February 22, 2026

Last Updated: March 2, 2026

🔗 References

https://www.exploit-db.com/exploits/47370 Exploit,VDB Entry
https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp Broken Link

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25450, you might also want to check these: