CVE-2024-0884 is a SQL Injection vulnerability identified in version 1.0 of the SourceCodester Online Tours & Travels Management System. The flaw resides in the payment.php file, specifically within the exec function, where the 'id' parameter is improperly sanitized. This allows an attacker to inject malicious SQL code remotely without requiring user interaction but does require some level of privileges (PR:H) to exploit. The vulnerability is classified under CWE-89, indicating that it stems from improper neutralization of special elements used in SQL commands. Successful exploitation could lead to unauthorized data access, modification, or deletion, impacting the confidentiality, integrity, and availability of the backend database. Although the CVSS v3.1 base score is 4.7 (medium severity), the vulnerability's remote exploitability and potential to affect critical payment processing functions make it a significant concern for affected deployments. No public exploits are currently known in the wild, and no patches have been released yet, which increases the risk for organizations still running this version. The vulnerability's presence in a travel management system suggests that sensitive customer and transaction data could be exposed or manipulated if exploited.

For European organizations using the SourceCodester Online Tours & Travels Management System 1.0, this vulnerability poses a risk to the confidentiality of customer data, including personal identification and payment information. Integrity of transaction records could be compromised, leading to fraudulent bookings or financial discrepancies. Availability of the system might also be affected if attackers execute destructive SQL commands or cause database corruption. Given the travel industry's reliance on accurate and secure booking systems, exploitation could damage business reputation and customer trust, potentially leading to regulatory scrutiny under GDPR for data breaches. The medium CVSS score reflects the need for privileged access, which may limit exposure; however, insider threats or compromised accounts could still leverage this vulnerability. The lack of a patch and public exploit code means organizations must proactively assess and mitigate the risk to prevent potential future attacks.

Organizations should immediately audit their use of SourceCodester Online Tours & Travels Management System version 1.0 and plan to upgrade to a patched version once available. In the interim, implement strict input validation and parameterized queries or prepared statements in the payment.php file to prevent SQL injection. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious SQL injection patterns targeting the 'id' parameter. Restrict database user privileges associated with the application to the minimum necessary, preventing high-privilege execution of SQL commands. Conduct regular security assessments and code reviews focusing on input handling. Monitor logs for unusual database queries or errors indicative of injection attempts. Additionally, enforce strong authentication and session management to reduce the risk of privilege escalation that could facilitate exploitation.