CVE-2019-25710

HIGH

Dolibarr ERP-CRM 8.0.4 SQL Injection via rowid Parameter

Title source: cna

Description

Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.

Exploits (1)

exploitdb WORKING POC

by Mehmet Onder · textwebappsphp

https://www.exploit-db.com/exploits/46095

View Code ZIP pw:eip

References (4)

[Exploit] https://www.exploit-db.com/exploits/46095

[Product] https://www.dolibarr.org/

[Product] https://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip

[Third Party Advisory] https://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter

Scores

CVSS v3 8.2

EPSS 0.0003

EPSS Percentile 8.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Details

CWE

CWE-89

Status published

Products (3)

dolibarr/dolibarr 0Packagist

Dolibarr/Dolibarr ERP-CRM 8.0.4

dolibarr/dolibarr_erp\/crm < 8.0.4

Published Apr 12, 2026

Tracked Since Apr 12, 2026