CVE-2019-25669
Published: 05 April 2026
Summary
CVE-2019-25669 is a high-severity SQL Injection (CWE-89) vulnerability in Qdpm Qdpm. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 22.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25669 is an SQL injection vulnerability (CWE-89) affecting qdPM version 9.1, a project management software. The issue resides in the handling of the search_by_extrafields[] parameter, which allows attackers to inject malicious SQL code via POST requests to the users endpoint. This manipulation of database queries can trigger SQL syntax errors, facilitating the extraction of sensitive database information.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it exploitable over the network by unauthenticated attackers with low attack complexity and no user interaction required. Successful exploitation enables high-impact confidentiality breaches, such as unauthorized data disclosure from the database, alongside limited integrity modifications but no denial-of-service effects.
References include the official qdPM site (http://qdpm.net) and its download page (http://qdpm.net/download-qdpm-free-project-management), an Exploit-DB proof-of-concept (https://www.exploit-db.com/exploits/46387), and a VulnCheck advisory detailing the SQL injection via the search_by_extrafields parameter (https://www.vulncheck.com/advisories/qdpm-sql-injection-via-search-by-extrafields-parameter). Security practitioners should review these sources for any available patches or mitigation guidance.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20073
Vulnerability details
qdPM 9.1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the search_by_extrafields[] parameter. Attackers can send POST requests to the users endpoint with malicious search_by_extrafields[] values to trigger SQL syntax errors…
more
and extract database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated SQL injection in a public-facing web application (qdPM) enabling database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires validation and sanitization of inputs like search_by_extrafields[], directly preventing SQL injection attacks from manipulating database queries.
SI-2 mandates identifying, reporting, and correcting flaws such as this SQL injection vulnerability through timely patching of qdPM 9.1.
SI-11 ensures error messages from SQL syntax errors do not reveal exploitable database information, limiting the impact of error-based extraction attempts.