CVE-2025-8966 – This SQL injection vulnerability in itsourcecod... (How to Fix)

Q: What is the severity of CVE-2025-8966?

CVE-2025-8966 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in itsourcecode Online Tour and Travel Management System 1.0 allows attackers to execute arbitrary SQL commands via the 'tname' parameter in the /admin/operations/tax.php file. Attackers can potentially access, modify, or delete database content. All users running version 1.0 of this software are affected.

📋 TL;DR

This SQL injection vulnerability in itsourcecode Online Tour and Travel Management System 1.0 allows attackers to execute arbitrary SQL commands via the 'tname' parameter in the /admin/operations/tax.php file. Attackers can potentially access, modify, or delete database content. All users running version 1.0 of this software are affected.

💻 Affected Systems

Products:

itsourcecode Online Tour and Travel Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation and requires the system to be accessible via web interface.

📦 What is this software?

Online Tour \& Travel Management System by Mayurik

View all CVEs affecting Online Tour \& Travel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive customer data, financial records, and administrative credentials leading to data theft, system takeover, or ransomware deployment.

🟠

Likely Case

Unauthorized data access and extraction of sensitive information such as customer details, booking records, and potentially administrative credentials.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, potentially only causing minor data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making this easily exploitable by attackers with basic SQL injection knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

1. Check vendor website for updates 2. If no patch available, implement workarounds 3. Consider migrating to alternative software

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the tname parameter

Modify /admin/operations/tax.php to use prepared statements

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to block requests containing SQL keywords targeting /admin/operations/tax.php

🧯 If You Can't Patch

Restrict access to /admin/operations/tax.php using IP whitelisting or authentication
Implement network segmentation to isolate the vulnerable system from sensitive data

🔍 How to Verify

Check if Vulnerable:

Test the /admin/operations/tax.php endpoint with SQL injection payloads in the tname parameter

Check Version:

Check system documentation or admin panel for version information

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts following SQL injection patterns
Unexpected database queries from web server

Network Indicators:

HTTP requests to /admin/operations/tax.php containing SQL keywords
Unusual database connections from web server

SIEM Query:

source="web_logs" AND uri="/admin/operations/tax.php" AND (payload="UNION" OR payload="SELECT" OR payload="INSERT" OR payload="DELETE")

📊 Metadata

CVE ID: CVE-2025-8966

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: August 14, 2025

Last Updated: August 18, 2025

🔗 References

https://github.com/zzb1388/cve/issues/37 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.319961 Permissions Required,VDB Entry
https://vuldb.com/?id.319961 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.628162 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8966, you might also want to check these: