CVE-2025-4064 – CVE-2025-4064 is an improper access control vul... (How to Fix)

Q: What is the severity of CVE-2025-4064?

CVE-2025-4064 has a CVSS score of 5.3 (MEDIUM). CVE-2025-4064 is an improper access control vulnerability in ScriptAndTools Online-Travling-System 1.0 that allows unauthorized access to the admin viewenquiry.php file. This affects all users running the vulnerable version of this travel system software. Attackers can exploit this remotely to access sensitive administrative functions.

📋 TL;DR

CVE-2025-4064 is an improper access control vulnerability in ScriptAndTools Online-Travling-System 1.0 that allows unauthorized access to the admin viewenquiry.php file. This affects all users running the vulnerable version of this travel system software. Attackers can exploit this remotely to access sensitive administrative functions.

💻 Affected Systems

Products:

ScriptAndTools Online-Travling-System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin panel at /admin/viewenquiry.php specifically

📦 What is this software?

Online Traveling System by Scriptandtools

View all CVEs affecting Online Traveling System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise through privilege escalation, data theft, or unauthorized administrative actions

🟠

Likely Case

Unauthorized viewing of sensitive travel inquiries and potential data exposure

🟢

If Mitigated

Limited impact with proper network segmentation and access controls

🌐 Internet-Facing: HIGH - Attack can be initiated remotely without authentication

🏢 Internal Only: MEDIUM - Still vulnerable but requires internal network access

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available and attack requires minimal technical skill

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Restrict access to admin directory

all

Implement IP-based restrictions or authentication for the /admin/ directory

# Apache: Add to .htaccess in admin directory
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Nginx: Add to server block
location /admin/ {
    allow 192.168.1.0/24;
    deny all;
}

Remove vulnerable file

linux

Delete or rename viewenquiry.php if not needed

rm /path/to/admin/viewenquiry.php
mv /path/to/admin/viewenquiry.php /path/to/admin/viewenquiry.php.disabled

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the admin interface
Monitor access logs to /admin/viewenquiry.php for unauthorized attempts

🔍 How to Verify

Check if Vulnerable:

Check if /admin/viewenquiry.php is accessible without proper authentication by attempting to access it directly via browser or curl

Check Version:

Check application documentation or configuration files for version information

Verify Fix Applied:

Verify that /admin/viewenquiry.php now requires proper authentication or returns appropriate access denied responses

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /admin/viewenquiry.php
Multiple failed authentication attempts followed by successful access to admin pages

Network Indicators:

Unusual traffic patterns to admin URLs from unexpected IP addresses
HTTP requests to /admin/viewenquiry.php without proper session cookies

SIEM Query:

source="web_server" AND (url="/admin/viewenquiry.php" OR url="/admin/*") AND NOT (user="admin" OR session_status="authenticated")

📊 Metadata

CVE ID: CVE-2025-4064

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-266

EPSS Score: 0.05% exploit probability (16.3th percentile)

Published: April 29, 2025

Last Updated: May 9, 2025

🔗 References

https://vuldb.com/?ctiid.306501 Permissions Required,VDB Entry
https://vuldb.com/?id.306501 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.559467 Third Party Advisory,VDB Entry
https://www.websecurityinsights.my.id/2025/04/script-and-tools-online-travling-system.html Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-4064, you might also want to check these: