CVE-2025-15127
📋 TL;DR
This CVE describes an SQL injection vulnerability in FantasticLBP Hotels_Server's Room.php API endpoint. Attackers can exploit the hotelId parameter to execute arbitrary SQL commands remotely. All deployments up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0 are affected.
💻 Affected Systems
- FantasticLBP Hotels_Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including data theft, modification, deletion, and potential remote code execution via database functions.
Likely Case
Unauthorized data access, privilege escalation, and potential data exfiltration from the hotels database.
If Mitigated
Limited impact with proper input validation and database permissions restricting damage to non-critical data.
🎯 Exploit Status
Exploit disclosed publicly; SQL injection via hotelId parameter requires minimal technical skill.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Unknown
Vendor Advisory: None available
Restart Required: No
Instructions:
No official patch available. Check GitHub repository for updates beyond commit 67b44df162fab26df209bd5d5d542875fcbec1d0.
🔧 Temporary Workarounds
Input Validation Filter
allAdd strict input validation for hotelId parameter to accept only expected data types
Modify /controller/api/Room.php to validate hotelId as integer using is_numeric() or similar
WAF Rule Implementation
allDeploy web application firewall rules to block SQL injection patterns
Add WAF rule: Detect SQL keywords in hotelId parameter
🧯 If You Can't Patch
- Isolate the Hotels_Server instance behind a reverse proxy with strict input filtering
- Implement database-level controls: restrict application database user permissions to SELECT only
🔍 How to Verify
Check if Vulnerable:
Test /controller/api/Room.php endpoint with SQL injection payloads in hotelId parameterCheck Version:
git log --oneline -1Verify Fix Applied:
Verify input validation prevents SQL injection attempts and returns proper error responses📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in application logs
- Multiple failed login attempts from single IP
- Unexpected database queries
Network Indicators:
- HTTP requests to /controller/api/Room.php with SQL keywords in parameters
- Unusual outbound database connections
SIEM Query:
source="web_logs" AND uri="/controller/api/Room.php" AND (param="hotelId" AND value CONTAINS "UNION" OR value CONTAINS "SELECT" OR value CONTAINS "--")