Login Sign Up

CVE-2025-14711

7.3 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in FantasticLBP Hotels Server allows remote attackers to execute arbitrary SQL commands via the pickedHotelName/type parameters in hotelList.php. This affects all deployments running versions up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0. Attackers could potentially access, modify, or delete hotel reservation data.

💻 Affected Systems

Products:
  • FantasticLBP Hotels Server
Versions: All versions up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0
Operating Systems: Any OS running the server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the /controller/api/hotelList.php endpoint specifically

📦 What is this software?

Hotels Server by Fantasticlbp

View all CVEs affecting Hotels Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to hotel reservation data, guest information exposure, and potential data manipulation

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details published on GitHub, remote exploitation possible without authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor did not respond to disclosure. Consider migrating to alternative software or implementing workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns targeting hotelList.php parameters

Input Validation Filter

all

Add input validation for pickedHotelName and type parameters before processing

🧯 If You Can't Patch

  • Isolate the server behind a reverse proxy with strict input validation
  • Implement network segmentation to restrict access to the vulnerable endpoint

🔍 How to Verify

Check if Vulnerable:

Check if your FantasticLBP Hotels Server version is at or before commit 67b44df162fab26df209bd5d5d542875fcbec1d0

Check Version:

Check git commit hash or version file in installation directory

Verify Fix Applied:

Test the hotelList.php endpoint with SQL injection payloads to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in application logs
  • Multiple failed parameter validation attempts
  • Suspicious patterns in pickedHotelName/type parameters

Network Indicators:

  • SQL injection payloads in HTTP requests to /controller/api/hotelList.php
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/controller/api/hotelList.php" AND (param="pickedHotelName" OR param="type") AND (payload="' OR " OR "--" OR "UNION" OR "SELECT")

📊 Metadata

CVE ID: CVE-2025-14711
CVSS v3 Score: 7.3 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.05% exploit probability (14.6th percentile)
Published: December 15, 2025
Last Updated: March 5, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-14711, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)