CVE-2022-30528 is a critical SQL Injection vulnerability identified in the asith-eranga ISIC tour booking system, specifically affecting versions published up to February 13th, 2018. The vulnerability exists in the handling of the 'username' parameter within the endpoint /system/user/modules/mod_users/controller.php. Due to improper sanitization and validation of this parameter, an attacker can inject arbitrary SQL commands, which are then executed by the backend database. This flaw allows an unauthenticated remote attacker to execute arbitrary commands without any user interaction, potentially leading to full compromise of the underlying database and application. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), which is a common and severe injection weakness. The CVSS 3.1 base score of 9.8 reflects the critical nature of this vulnerability, with attack vector being network-based (AV:N), no privileges required (PR:N), no user interaction needed (UI:N), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). Although no public exploits have been reported in the wild as of the publication date, the ease of exploitation and the severity of impact make this a significant threat to any organization using the affected software. The lack of vendor or product information and absence of patch links complicate mitigation efforts, indicating that organizations must rely on custom or manual remediation strategies.

For European organizations, the impact of this vulnerability can be severe, especially for those in the travel, tourism, and booking sectors that may use the asith-eranga ISIC tour booking system or its derivatives. Exploitation could lead to unauthorized access to sensitive customer data, including personal identification and payment information, resulting in data breaches and regulatory non-compliance under GDPR. The integrity of booking data could be compromised, leading to fraudulent bookings or cancellations, damaging business operations and customer trust. Availability could also be impacted if attackers execute destructive SQL commands, potentially causing denial of service. Given the criticality and ease of exploitation, attackers could leverage this vulnerability for lateral movement within networks, escalating the threat to broader enterprise systems. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors often weaponize such vulnerabilities rapidly once disclosed.

Perform a comprehensive audit of all instances of the asith-eranga ISIC tour booking system within the organization to identify affected versions. Implement immediate input validation and parameterized queries or prepared statements for all database interactions involving user-supplied data, particularly the 'username' parameter in the affected controller.php endpoint. If source code access is available, refactor the vulnerable code to sanitize inputs and use secure coding practices to prevent SQL injection. In the absence of vendor patches, consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the vulnerable parameter and endpoint. Monitor logs for suspicious activity related to the /system/user/modules/mod_users/controller.php endpoint, focusing on anomalous input patterns or failed SQL queries. Restrict database user permissions to the minimum necessary to limit the impact of potential exploitation. Develop and test incident response plans specific to SQL injection attacks, including data recovery and forensic analysis procedures. Engage with the software vendor or community to seek updates or patches, and consider migrating to alternative, actively maintained booking systems if remediation is not feasible. Educate development and security teams on secure coding practices and the importance of regular vulnerability assessments.