CVE-2022-30529 is a file upload vulnerability identified in the asith-eranga ISIC tour booking system, specifically in versions published up to February 13, 2018. The vulnerability exists in the file upload functionality exposed via the TinyMCE file manager plugin endpoints: /system/application/libs/js/tinymce/plugins/filemanager/dialog.php and /system/application/libs/js/tinymce/plugins/filemanager/upload.php. This flaw allows an attacker with high privileges (PR:H) to upload arbitrary files to the server without requiring user interaction (UI:N). The vulnerability is classified under CWE-434, which pertains to unrestricted file upload vulnerabilities. Exploiting this vulnerability can lead to full compromise of the affected system, as arbitrary files uploaded could include web shells or malicious scripts that impact confidentiality, integrity, and availability. The CVSS v3.1 base score is 7.2 (high severity), with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network attack vector, low attack complexity, but requiring high privileges, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. No patches or vendor information are currently available, and no known exploits in the wild have been reported. The vulnerability affects a niche product used for tour booking, which may be deployed in specific organizations or regions. Given the nature of the vulnerability, attackers with elevated access could leverage it to escalate privileges or maintain persistence by uploading malicious payloads to the web server environment.

For European organizations using the asith-eranga ISIC tour booking system, this vulnerability poses a significant risk. Successful exploitation could lead to unauthorized code execution, data theft, defacement, or service disruption. Confidential customer data, including personal and payment information, could be exposed or manipulated, leading to regulatory non-compliance under GDPR. The integrity of booking data and availability of the service could be compromised, impacting business operations and customer trust. Since the vulnerability requires high privileges, it implies that an attacker must first gain elevated access, possibly through other vulnerabilities or insider threats, making it a critical post-compromise vector. Organizations in the tourism sector, travel agencies, or related service providers in Europe that rely on this system are at risk of targeted attacks aiming to disrupt services or exfiltrate sensitive data. The absence of patches increases the window of exposure, and the lack of known exploits does not preclude future exploitation, especially if threat actors develop weaponized payloads.

1. Immediate mitigation should focus on restricting access to the vulnerable endpoints (/dialog.php and /upload.php) via network-level controls such as IP whitelisting or web application firewalls (WAF) with custom rules to block unauthorized file upload attempts. 2. Conduct a thorough privilege audit to ensure that only trusted users have high-level access to the system, minimizing the risk of privilege abuse. 3. Implement strict file upload validation and sanitization controls, including limiting allowed file types, enforcing file size limits, and scanning uploaded files with antivirus or malware detection solutions. 4. If possible, isolate the affected application in a segmented network zone to limit lateral movement in case of compromise. 5. Monitor logs for suspicious upload activities or anomalous file creations in the application directories. 6. Develop an incident response plan specific to this vulnerability, including steps for containment and recovery. 7. Engage with the software provider or community to seek patches or updates; if unavailable, consider migrating to alternative, actively maintained booking systems. 8. Regularly back up critical data and verify backup integrity to enable recovery from potential ransomware or destructive attacks leveraging this vulnerability.