CVE-2025-11352 is a security vulnerability identified in version 1.0 of the code-projects Online Hotel Reservation System. The vulnerability resides in the /admin/addexec.php file, specifically in the handling of the 'image' parameter, which allows unrestricted file uploads. This means an attacker can remotely upload arbitrary files, including potentially malicious scripts, without needing authentication or user interaction. The vulnerability is exploitable over the network with low attack complexity and no privileges required, as indicated by the CVSS 4.0 vector AV:N/AC:L/PR:L/UI:N. The impact on confidentiality, integrity, and availability is limited but present, as attackers could upload web shells or malware to compromise the server or manipulate data. The vulnerability has been publicly disclosed but no known exploits are currently active in the wild. The lack of patch links suggests that no official fix has been released yet, increasing the urgency for organizations to implement compensating controls. The unrestricted upload flaw is a common vector for web application compromise, often leading to server takeover, data exfiltration, or ransomware deployment. Given the administrative nature of the vulnerable endpoint, successful exploitation could allow attackers to gain elevated control over the system.

For European organizations, particularly those in the hospitality sector using the affected Online Hotel Reservation System, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to sensitive customer data such as personal identification and payment information, damaging confidentiality. Integrity of reservation data and system configurations could be altered, disrupting business operations and trust. Availability may be impacted if attackers deploy ransomware or deface the website, leading to service outages and reputational harm. The hospitality industry in Europe is a high-value target due to the volume of personal data processed and the critical nature of booking systems. Additionally, regulatory frameworks like GDPR impose strict data protection requirements, increasing potential legal and financial consequences of breaches. The medium severity rating reflects a moderate but tangible threat that requires timely remediation to prevent escalation.

Organizations should immediately implement strict input validation and sanitization on the /admin/addexec.php endpoint to restrict file uploads to only safe image formats (e.g., JPEG, PNG) and enforce file size limits. Employ server-side checks to verify MIME types and use allowlists rather than blocklists. Restrict access to the administrative upload functionality via strong authentication and IP whitelisting where possible. Deploy web application firewalls (WAFs) to detect and block suspicious upload attempts. Monitor server logs for unusual file upload activity and scan uploaded files for malware. If patches become available from the vendor, prioritize their deployment. Consider isolating the upload directory with limited execution permissions to prevent uploaded scripts from running. Conduct regular security audits and penetration testing focused on file upload mechanisms. Finally, maintain comprehensive backups and incident response plans to quickly recover from potential compromises.