CVE-2025-9009 – This vulnerability allows remote attackers to e... (How to Fix)

Q: What is the severity of CVE-2025-9009?

CVE-2025-9009 has a CVSS score of 7.3 (HIGH). This vulnerability allows remote attackers to execute SQL injection attacks against the Online Tour and Travel Management System 1.0. By manipulating the 'Name' parameter in the /admin/email_setup.php file, attackers can potentially access, modify, or delete database content. Organizations using this specific software version are affected.

📋 TL;DR

This vulnerability allows remote attackers to execute SQL injection attacks against the Online Tour and Travel Management System 1.0. By manipulating the 'Name' parameter in the /admin/email_setup.php file, attackers can potentially access, modify, or delete database content. Organizations using this specific software version are affected.

💻 Affected Systems

Products:

itsourcecode Online Tour and Travel Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the /admin/email_setup.php file to be accessible and the system to be running the vulnerable version.

📦 What is this software?

Online Tour \& Travel Management System by Mayurik

View all CVEs affecting Online Tour \& Travel Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to remote code execution.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information like user credentials, personal data, or financial records.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available on GitHub, making it easy for attackers to weaponize. Requires admin access to reach the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://itsourcecode.com/

Restart Required: No

Instructions:

No official patch available. Consider implementing workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the Name parameter in email_setup.php

Modify /admin/email_setup.php to use prepared statements: $stmt = $conn->prepare('SELECT * FROM table WHERE name = ?'); $stmt->bind_param('s', $name);

Access Restriction

all

Restrict access to /admin/email_setup.php file using web server configuration

Apache: <Location /admin/email_setup.php> Require ip 192.168.1.0/24 </Location>
Nginx: location /admin/email_setup.php { deny all; }

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) with SQL injection rules
Network segmentation to isolate the vulnerable system from sensitive data

🔍 How to Verify

Check if Vulnerable:

Check if /admin/email_setup.php exists and accepts Name parameter without proper input validation

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test SQL injection attempts against the Name parameter to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin panel
Suspicious POST requests to /admin/email_setup.php

Network Indicators:

SQL injection patterns in HTTP requests
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/email_setup.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "--")

📊 Metadata

CVE ID: CVE-2025-9009

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.03% exploit probability (7.4th percentile)

Published: August 15, 2025

Last Updated: September 26, 2025

🔗 References

https://github.com/lin-3-start/lin-cve/issues/3 Exploit,Issue Tracking,Third Party Advisory
https://itsourcecode.com/ Product
https://vuldb.com/?ctiid.320040 Permissions Required,VDB Entry
https://vuldb.com/?id.320040 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.628873 Third Party Advisory,VDB Entry
https://github.com/lin-3-start/lin-cve/issues/3 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9009, you might also want to check these: