CVE-2019-25446 in Digit Centris ERP
Summary
by MITRE • 02/22/2026
DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2019-25446 resides within the DIGIT CENTRIS ERP system, representing a critical SQL injection flaw that undermines the application's database security posture. This weakness enables unauthenticated attackers to execute malicious SQL commands against the backend database without requiring valid credentials, fundamentally compromising the system's integrity and confidentiality. The vulnerability specifically affects the /korisnikinfo.php endpoint which processes user information requests and fails to properly sanitize input parameters, creating an exploitable entry point for database manipulation attacks.
The technical implementation of this vulnerability stems from insufficient input validation and parameter sanitization within the application's data handling mechanisms. Attackers can exploit the vulnerability by crafting malicious POST requests containing SQL injection payloads in four specific parameters: datum1, datum2, KID, and PID. These parameters are processed directly within database queries without proper escaping or parameterization, allowing attackers to inject arbitrary SQL syntax that executes within the database context. The vulnerability aligns with CWE-89 which categorizes SQL injection as a fundamental weakness in software applications that fail to properly validate or escape user-supplied input before incorporating it into database queries.
The operational impact of this vulnerability extends beyond simple data extraction to encompass complete database compromise and potential system takeover. Successful exploitation could enable attackers to retrieve sensitive user information, modify database records, execute administrative commands, or even escalate privileges within the affected system. The unauthenticated nature of the attack means that threat actors can exploit this vulnerability without requiring prior access credentials, significantly increasing the attack surface and attack vector accessibility. This weakness creates a persistent threat that can be exploited repeatedly, potentially allowing for data exfiltration, system disruption, or establishment of persistent access points within the network infrastructure.
Security professionals should implement immediate mitigations including input validation, parameterized queries, and web application firewalls to protect against exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization and the implementation of secure coding practices as outlined in OWASP Top Ten and NIST guidelines. Organizations should conduct comprehensive security assessments of their ERP systems, implement proper database access controls, and establish monitoring mechanisms to detect anomalous database activity that may indicate exploitation attempts. Additionally, regular security updates and vulnerability management processes should be prioritized to address similar weaknesses in other application components that may present similar attack vectors. The incident underscores the necessity of following secure development lifecycle practices and implementing defense-in-depth strategies to protect enterprise applications from common injection vulnerabilities that remain prevalent in legacy systems.