CVE-2019-25450

Name of the Vulnerable Software and Affected Versions Dolibarr ERP/CRM version 10.0.1

Description The software contains multiple SQL injection flaws. Authenticated attackers can manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand reason id, and availability id in the /card.php API endpoint to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the /card.php endpoint to minimize the risk of exploitation. Avoid using the parameters actioncode, demand reason id, and availability id in the affected API endpoint until the issue is resolved.