CVE-2025-8972 – This SQL injection vulnerability in itsourcecod... (How to Fix)

Q: What is the severity of CVE-2025-8972?

CVE-2025-8972 has a CVSS score of 7.3 (HIGH). This SQL injection vulnerability in itsourcecode Online Tour and Travel Management System 1.0 allows attackers to manipulate database queries through the email parameter in the login page. Remote attackers can potentially access, modify, or delete sensitive data. All deployments of version 1.0 are affected.

📋 TL;DR

This SQL injection vulnerability in itsourcecode Online Tour and Travel Management System 1.0 allows attackers to manipulate database queries through the email parameter in the login page. Remote attackers can potentially access, modify, or delete sensitive data. All deployments of version 1.0 are affected.

💻 Affected Systems

Products:

itsourcecode Online Tour and Travel Management System

Versions: 1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations of version 1.0 are vulnerable. The vulnerability exists in the default installation.

📦 What is this software?

Online Tour \& Travel Management System by Mayurik

View all CVEs affecting Online Tour \& Travel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential system takeover.

🟠

Likely Case

Unauthorized data access, credential theft, and potential authentication bypass to gain admin privileges.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, though SQL injection attempts would still be logged.

🌐 Internet-Facing: HIGH - The vulnerability is in the login page which is typically internet-facing, and exploitation can be done remotely.

🏢 Internal Only: MEDIUM - If the system is only accessible internally, risk is reduced but still significant due to potential insider threats.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit details are publicly available on GitHub. The vulnerability is in the login page which is typically accessible without authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement proper input validation and parameterized queries for the email parameter in page-login.php

Modify /admin/page-login.php to use prepared statements with parameterized queries

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns in POST parameters

🧯 If You Can't Patch

Isolate the system behind a firewall with strict access controls
Implement network segmentation to limit database access from the web server

🔍 How to Verify

Check if Vulnerable:

Test the /admin/page-login.php endpoint with SQL injection payloads in the email parameter

Check Version:

Check the system version in the admin panel or configuration files

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and that parameterized queries are implemented

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple failed login attempts with SQL-like patterns in email field

Network Indicators:

SQL injection patterns in HTTP POST requests to /admin/page-login.php

SIEM Query:

source="web_server_logs" AND uri="/admin/page-login.php" AND (message="sql" OR message="syntax" OR message="union" OR message="select")

📊 Metadata

CVE ID: CVE-2025-8972

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: August 14, 2025

Last Updated: August 18, 2025

🔗 References

https://github.com/zzb1388/cve/issues/31 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.319967 Permissions Required,VDB Entry
https://vuldb.com/?id.319967 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.628168 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-8972, you might also want to check these: