CVE-2024-42775 is an Incorrect Access Control vulnerability identified in the Kashipara Hotel Management System version 1.0. The vulnerability exists in the /admin/add_room_controller.php script, which is responsible for adding hotel room entries within the administrative interface. Due to improper access control, this endpoint can be accessed directly via URL without requiring any authentication or authorization, allowing unauthenticated attackers to add valid hotel room records. This flaw violates the principle of least privilege and exposes the system to unauthorized data manipulation. The vulnerability is classified under CWE-284 (Improper Access Control) and has a CVSS v3.1 base score of 9.1, reflecting its critical severity. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and affects confidentiality and integrity (C:H/I:H) but not availability (A:N). Although no public exploits have been reported yet, the ease of exploitation and the critical nature of the vulnerability make it a high-risk issue for affected organizations. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate compensating controls.

The impact of CVE-2024-42775 is significant for organizations using Kashipara Hotel Management System v1.0. An attacker exploiting this vulnerability can add unauthorized hotel room entries, potentially corrupting booking data, inventory management, and pricing information. This unauthorized data manipulation can lead to operational disruptions, financial losses, and damage to the organization's reputation. Since the vulnerability allows unauthenticated access, it broadens the attack surface, enabling remote attackers with minimal technical skills to compromise system integrity. Confidential customer and business data could be indirectly affected if attackers use the vulnerability as a foothold for further attacks. The absence of availability impact means the system remains operational, but the integrity and confidentiality breaches pose serious risks to business continuity and trust. Organizations in the hospitality sector relying on this software are particularly vulnerable, and the threat could extend to partners and customers through cascading effects.

To mitigate CVE-2024-42775, organizations should immediately restrict access to the /admin/add_room_controller.php endpoint by implementing robust authentication and authorization mechanisms. This includes enforcing strong user authentication (e.g., multi-factor authentication) for all administrative interfaces and validating user roles before allowing access to sensitive functions. Network-level controls such as IP whitelisting or VPN access for administrative portals can further reduce exposure. Conduct thorough code reviews and penetration testing to identify and remediate similar access control issues in other parts of the application. Monitor web server logs and application activity for unusual or unauthorized access attempts to the admin endpoints. If a patch becomes available from the vendor, prioritize its deployment. As a temporary measure, consider disabling the vulnerable functionality if feasible. Additionally, educate staff about the risks of exposing administrative URLs and ensure secure development lifecycle practices to prevent recurrence.