CVE-2019-25710
HIGH8.2EPSS 0.04%Dolibarr has SQL injection vulnerability in the rowid parameter of the admin dict.php
Published: 4/12/2026Modified: 4/18/2026
Also known as:GHSA-xxxg-x793-7fq3
Description
Dolibarr ERP-CRM 8.0.4 contains an SQL injection vulnerability in the rowid parameter of the admin dict.php endpoint that allows attackers to execute arbitrary SQL queries. Attackers can inject malicious SQL code through the rowid POST parameter to extract sensitive database information using error-based SQL injection techniques.
Affected packages (1)
- Packagist/dolibarr/dolibarrfrom 0, <= 8.0.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
References (6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-25710
- PATCHhttps://github.com/Dolibarr/dolibarr
- WEBhttps://sourceforge.net/projects/dolibarr/files/Dolibarr%20ERP-CRM/8.0.4/dolibarr-8.0.4.zip
- WEBhttps://www.dolibarr.org
- WEBhttps://www.exploit-db.com/exploits/46095
- WEBhttps://www.vulncheck.com/advisories/dolibarr-erp-crm-sql-injection-via-rowid-parameter