CVE-2025-10843 is a SQL Injection vulnerability identified in version 1.0 of the Reservation Online Hotel Reservation System, specifically within the /reservation/paypalpayout.php file. The vulnerability arises from improper sanitization or validation of the 'confirm' parameter, which can be manipulated by an attacker to inject malicious SQL code. This injection flaw allows an unauthenticated remote attacker to execute arbitrary SQL queries on the backend database without requiring any user interaction or privileges. The vulnerability is exploitable over the network (AV:N), with low attack complexity (AC:L), no authentication (PR:N), and no user interaction (UI:N) needed. The impact on confidentiality, integrity, and availability is limited (VC:L, VI:L, VA:L), indicating partial but not total compromise of data or system functionality. The CVSS 4.0 base score is 6.9, categorizing it as a medium severity vulnerability. Although no known exploits are currently reported in the wild, the existence of a published exploit increases the risk of exploitation. The vulnerability could allow attackers to extract sensitive data, modify or delete records, or disrupt reservation processes, potentially leading to financial loss and reputational damage for affected organizations. The lack of patches or vendor-provided mitigations at this time further elevates the risk for users of this software version.

For European organizations using the Reservation Online Hotel Reservation System 1.0, this vulnerability poses a significant risk to the confidentiality and integrity of customer and transactional data. Hotels and travel agencies relying on this system could face unauthorized data disclosure, including personal and payment information, leading to privacy violations under GDPR. Integrity compromises could result in fraudulent bookings, financial discrepancies, or manipulation of payout processes, affecting business operations and customer trust. Availability impacts, while limited, could disrupt reservation workflows, causing operational delays. Given the hospitality sector's importance in Europe’s economy and the sensitivity of customer data handled, exploitation could lead to regulatory penalties, legal liabilities, and damage to brand reputation. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially if threat actors target hospitality businesses during peak travel seasons or special events.

Organizations should immediately audit their use of the Reservation Online Hotel Reservation System and identify any instances of version 1.0 in their environment. Since no official patches are currently available, the following specific mitigations are recommended: 1) Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'confirm' parameter in /reservation/paypalpayout.php. 2) Employ input validation and parameterized queries or prepared statements if source code access and modification are possible, to sanitize inputs properly. 3) Restrict database user permissions to the minimum necessary, limiting the impact of any successful injection. 4) Monitor logs for unusual database query patterns or repeated access attempts to the vulnerable endpoint. 5) Consider isolating or disabling the vulnerable functionality if it is not critical to operations. 6) Plan for an upgrade or replacement of the affected software version once a vendor patch or secure alternative is available. 7) Conduct regular security assessments and penetration testing focused on injection flaws in web applications.