CVE-2019-25452 in ERP CRM
Summary
by MITRE • 02/22/2026
Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/03/2026
The vulnerability identified as CVE-2019-25452 represents a critical SQL injection flaw within the Dolibarr ERP/CRM version 10.0.1 software ecosystem. This vulnerability specifically targets the viewcat.php endpoint where the elemid POST parameter fails to properly sanitize user input, creating an exploitable entry point for malicious actors. The flaw exists in the application's database interaction layer where user-supplied data is directly incorporated into SQL query constructions without adequate validation or parameterization mechanisms.
This SQL injection vulnerability operates through the manipulation of the elemid parameter within POST requests sent to the viewcat.php endpoint. The vulnerability allows unauthenticated attackers to craft malicious payloads that exploit the lack of input sanitization, enabling them to inject arbitrary SQL commands into the backend database. Attackers can leverage either error-based or time-based blind SQL injection techniques to extract sensitive information from the underlying database system. The error-based approach reveals database structure and content through error messages, while the time-based method uses delayed responses to infer information through timing variations in database queries.
The operational impact of this vulnerability extends beyond simple data theft, as it provides attackers with the capability to manipulate database contents, potentially leading to complete system compromise. An attacker could extract user credentials, customer data, financial records, and other sensitive business information stored within the Dolibarr database. The unauthenticated nature of this vulnerability means that any external party can exploit it without requiring prior access credentials, making it particularly dangerous for organizations running exposed web applications. The vulnerability affects organizations using Dolibarr ERP/CRM systems that have not applied the relevant security patches, potentially exposing critical business data to unauthorized access.
Security professionals should consider this vulnerability in the context of CWE-89 which specifically addresses SQL injection weaknesses in software applications. The flaw aligns with ATT&CK technique T1213.002 which focuses on data from information repositories, indicating how this vulnerability enables adversaries to access and extract sensitive data from database systems. Organizations should implement immediate mitigations including input validation, parameterized queries, and web application firewalls to prevent exploitation. The recommended approach involves applying the vendor-provided security patches, implementing proper input sanitization measures, and conducting regular security assessments of web applications. Additionally, organizations should consider network segmentation and access controls to limit potential damage from successful exploitation attempts, while monitoring for suspicious database access patterns that may indicate ongoing attacks against vulnerable systems.