Login Sign Up

CVE-2025-13170

7.3 HIGH
SQL Injection

📋 TL;DR

CVE-2025-13170 is an SQL injection vulnerability in Simple Online Hotel Reservation System 1.0 that allows attackers to manipulate database queries via the admin_id parameter in /admin/edit_account.php. This enables unauthorized data access, modification, or deletion. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Simple Online Hotel Reservation System
Versions: 1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /admin/edit_account.php file specifically. Requires admin access to reach the vulnerable endpoint.

📦 What is this software?

Simple Online Hotel Reservation System by Fabian

View all CVEs affecting Simple Online Hotel Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data destruction, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive hotel reservation data, guest information, and administrative credentials.

🟢

If Mitigated

Limited data exposure if proper input validation and database permissions are enforced.

🌐 Internet-Facing: HIGH - Attack can be carried out remotely and exploit is public.
🏢 Internal Only: MEDIUM - Internal attackers could exploit if system is accessible on internal network.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin authentication but SQL injection is straightforward once authenticated. Public exploit details available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://code-projects.org/

Restart Required: No

Instructions:

No official patch available. Implement workarounds or migrate to alternative software.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify edit_account.php to use prepared statements and validate admin_id parameter

Replace SQL queries with PDO or mysqli prepared statements in PHP code

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block SQL injection patterns for /admin/edit_account.php

🧯 If You Can't Patch

  • Restrict network access to admin interface using firewall rules
  • Implement strong authentication and monitor admin account activity

🔍 How to Verify

Check if Vulnerable:

Check if system uses Simple Online Hotel Reservation System 1.0 and has /admin/edit_account.php file

Check Version:

Check source code or documentation for version information

Verify Fix Applied:

Test admin_id parameter with SQL injection payloads after implementing fixes

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin panel
  • Suspicious admin_id parameter values in web logs

Network Indicators:

  • SQL error messages in HTTP responses
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/edit_account.php" AND (param="admin_id" AND value MATCHES "[';]|UNION|SELECT")

📊 Metadata

CVE ID: CVE-2025-13170
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.04% exploit probability (11.4th percentile)
Published: November 14, 2025
Last Updated: February 24, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-13170, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)