CVE-2025-12208 identifies a SQL injection vulnerability in SourceCodester Best House Rental Management System version 1.0, specifically within the login2 function of the /admin_class.php file. The vulnerability arises from improper sanitization of the Username parameter, allowing an attacker to inject arbitrary SQL commands remotely without requiring authentication or user interaction. This flaw enables attackers to manipulate backend database queries, potentially extracting sensitive data, modifying records, or disrupting application functionality. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low complexity, no privileges or user interaction required, and limited impact on confidentiality, integrity, and availability. Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. The affected product is a niche rental management system, which may be deployed by small to medium enterprises managing property rentals. The vulnerability's exploitation could lead to unauthorized access to tenant information, financial data, or administrative controls, posing significant risks to data privacy and business operations. The lack of available patches necessitates immediate mitigation through secure coding practices and access controls.

For European organizations using the SourceCodester Best House Rental Management System 1.0, this vulnerability poses risks including unauthorized disclosure of tenant and financial data, potential data tampering, and service disruption. Such impacts could lead to regulatory non-compliance under GDPR due to data breaches, reputational damage, and financial losses. The ability to exploit the vulnerability remotely without authentication increases the attack surface, making it attractive for opportunistic attackers and cybercriminals targeting real estate management platforms. Operational disruptions could affect property management workflows, causing delays and customer dissatisfaction. Given the sensitive nature of rental and tenant data, confidentiality breaches could have legal and financial consequences. The medium severity rating indicates a moderate but actionable risk that should be addressed promptly to avoid exploitation. Organizations relying on this software must assess their exposure and implement compensating controls until patches are available.

1. Immediately audit and review the login2 function in /admin_class.php to identify and sanitize all user inputs, especially the Username parameter. 2. Implement parameterized queries or prepared statements to prevent SQL injection. 3. Restrict database user permissions to the minimum necessary to limit the impact of any injection attempts. 4. Monitor logs for unusual or suspicious database queries indicative of injection attempts. 5. If possible, isolate the affected system from external networks or restrict access via firewalls until a patch or update is applied. 6. Engage with the vendor or community to obtain or develop a patch addressing this vulnerability. 7. Conduct security awareness training for developers and administrators on secure coding and input validation. 8. Perform regular vulnerability scanning and penetration testing focused on injection flaws. 9. Consider deploying Web Application Firewalls (WAF) with rules to detect and block SQL injection patterns targeting this application. 10. Maintain up-to-date backups to enable recovery in case of data corruption or loss.