The vulnerability is a classic SQL injection that lets attackers inject arbitrary SQL code into the search_by_extrafields[] parameter of the users endpoint. By sending crafted POST requests, an adversary can trigger syntax errors and pull sensitive database information, potentially exposing user data and configuration. The flaw aligns with CWE‑89 and allows read or modify operations on the database, compromising confidentiality and integrity.

Affected products are part of the Qdpm:qdPM family. CVE-2019-25669 specifically targets version 9.1, which is publicly documented. The product is also offered in 8.3, 9.0 and 9.2 variants, but only the 9.1 build is known to be vulnerable from the provided data. Administrators should verify whether their deployment runs the 9.1 release and check for newer versions that include the fix.

The CVSS score of 8.8 signals a high‑severity issue; the EPSS score of less than 1 % indicates a low immediate likelihood of exploitation, yet a public exploit (46387) exists in exploit‑db. Remote attackers can reach the vulnerable endpoint over HTTP/HTTPS, send a POST request containing a malicious search_by_extrafields[] value, and extract or modify database contents. The flaw does not require privileged local access and can be leveraged in a typical web‑exposed environment.