CVE-2022-28607: n/a in n/a
An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.
AI Analysis
Technical Summary
CVE-2022-28607 is a high-severity information disclosure vulnerability identified in the asith-eranga ISIC tour booking system, specifically in versions released up to February 13, 2018. The vulnerability arises from improper handling of the 'action' parameter in the endpoint /system/user/modules/mod_users/controller.php. An attacker can exploit this flaw by sending crafted requests to this parameter, which results in unauthorized access to sensitive information. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the system inadvertently leaks data that should remain confidential. According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is remotely exploitable over the network without any authentication or user interaction, with low attack complexity. The impact is limited to confidentiality, with no effect on integrity or availability. No patches or vendor advisories are currently available, and no known exploits have been reported in the wild. The affected product is a niche tour booking system, which may be deployed by travel agencies or related service providers. The vulnerability's root cause likely involves insufficient input validation or improper access control checks on the 'action' parameter, allowing attackers to retrieve sensitive user or system data from the backend controller module.
Potential Impact
For European organizations, especially those in the travel and tourism sector using the asith-eranga ISIC tour booking platform, this vulnerability poses a significant risk of sensitive data leakage. Exposure of personal identifiable information (PII), booking details, or user credentials can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Since the vulnerability does not require authentication or user interaction, attackers can remotely and stealthily harvest data without alerting victims. This can facilitate further attacks such as identity theft, targeted phishing campaigns, or fraud. Organizations relying on this system may face legal liabilities due to inadequate protection of customer data. Additionally, the lack of available patches increases the window of exposure, making timely mitigation critical. The impact is primarily on confidentiality, but the downstream effects on business operations and customer trust can be substantial.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement compensating controls immediately. These include: 1) Restricting access to the vulnerable endpoint (/system/user/modules/mod_users/controller.php) via network-level controls such as firewalls or web application firewalls (WAFs) to allow only trusted IP addresses or internal traffic. 2) Employing strict input validation and parameter sanitization at the web server or proxy level to block malicious 'action' parameter values. 3) Monitoring and logging all access to the affected endpoint for anomalous or suspicious requests to enable early detection of exploitation attempts. 4) Conducting a thorough audit of the system to identify and remove any sensitive data exposure vectors. 5) If feasible, isolating or decommissioning the vulnerable module until a secure version or patch is available. 6) Educating staff about the risk and ensuring incident response plans are updated to handle potential data breaches. 7) Engaging with the vendor or community maintaining the software to seek updates or patches. These targeted measures go beyond generic advice by focusing on network segmentation, proactive detection, and immediate containment of the vulnerable component.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Switzerland, Austria
CVE-2022-28607: n/a in n/a
Description
An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.
AI-Powered Analysis
Technical Analysis
CVE-2022-28607 is a high-severity information disclosure vulnerability identified in the asith-eranga ISIC tour booking system, specifically in versions released up to February 13, 2018. The vulnerability arises from improper handling of the 'action' parameter in the endpoint /system/user/modules/mod_users/controller.php. An attacker can exploit this flaw by sending crafted requests to this parameter, which results in unauthorized access to sensitive information. The vulnerability is categorized under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor), indicating that the system inadvertently leaks data that should remain confidential. According to the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), the vulnerability is remotely exploitable over the network without any authentication or user interaction, with low attack complexity. The impact is limited to confidentiality, with no effect on integrity or availability. No patches or vendor advisories are currently available, and no known exploits have been reported in the wild. The affected product is a niche tour booking system, which may be deployed by travel agencies or related service providers. The vulnerability's root cause likely involves insufficient input validation or improper access control checks on the 'action' parameter, allowing attackers to retrieve sensitive user or system data from the backend controller module.
Potential Impact
For European organizations, especially those in the travel and tourism sector using the asith-eranga ISIC tour booking platform, this vulnerability poses a significant risk of sensitive data leakage. Exposure of personal identifiable information (PII), booking details, or user credentials can lead to privacy violations, regulatory non-compliance (e.g., GDPR), reputational damage, and potential financial losses. Since the vulnerability does not require authentication or user interaction, attackers can remotely and stealthily harvest data without alerting victims. This can facilitate further attacks such as identity theft, targeted phishing campaigns, or fraud. Organizations relying on this system may face legal liabilities due to inadequate protection of customer data. Additionally, the lack of available patches increases the window of exposure, making timely mitigation critical. The impact is primarily on confidentiality, but the downstream effects on business operations and customer trust can be substantial.
Mitigation Recommendations
Given the absence of official patches, European organizations should implement compensating controls immediately. These include: 1) Restricting access to the vulnerable endpoint (/system/user/modules/mod_users/controller.php) via network-level controls such as firewalls or web application firewalls (WAFs) to allow only trusted IP addresses or internal traffic. 2) Employing strict input validation and parameter sanitization at the web server or proxy level to block malicious 'action' parameter values. 3) Monitoring and logging all access to the affected endpoint for anomalous or suspicious requests to enable early detection of exploitation attempts. 4) Conducting a thorough audit of the system to identify and remove any sensitive data exposure vectors. 5) If feasible, isolating or decommissioning the vulnerable module until a secure version or patch is available. 6) Educating staff about the risk and ensuring incident response plans are updated to handle potential data breaches. 7) Engaging with the vendor or community maintaining the software to seek updates or patches. These targeted measures go beyond generic advice by focusing on network segmentation, proactive detection, and immediate containment of the vulnerable component.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- mitre
- Date Reserved
- 2022-04-04T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9840c4522896dcbf123a
Added to database: 5/21/2025, 9:09:20 AM
Last enriched: 6/22/2025, 1:21:44 AM
Last updated: 8/13/2025, 9:06:06 PM
Views: 11
Related Threats
Top Israeli Cybersecurity Director Arrested in US Child Exploitation Sting
HighCVE-2025-8878: CWE-94 Improper Control of Generation of Code ('Code Injection') in properfraction Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress
MediumCVE-2025-8143: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in pencidesign Soledad
MediumCVE-2025-8142: CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') in pencidesign Soledad
HighCVE-2025-8105: CWE-94 Improper Control of Generation of Code ('Code Injection') in pencidesign Soledad
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.