CVE-2025-13208 is a SQL injection vulnerability identified in the FantasticLBP Hotels Server software, specifically within an unknown function in the file controller/api/hotelList.php. The vulnerability arises from improper sanitization of the input parameters subjectId and cityName, which are used directly in SQL queries without adequate validation or parameterization. This allows remote attackers to inject arbitrary SQL code by manipulating these parameters, potentially leading to unauthorized data access, data modification, or deletion within the backend database. The attack vector is network-based, requiring no authentication or user interaction, making it relatively easy to exploit. The software follows a rolling release model, which complicates tracking affected versions and patch deployment. Despite early notification, the vendor has not responded or provided a patch, and public exploit code is available, increasing the likelihood of exploitation. The CVSS 4.0 score is 5.3 (medium), reflecting the moderate impact and ease of exploitation. The vulnerability affects confidentiality, integrity, and availability of data managed by the Hotels Server, which likely includes sensitive customer and booking information. No known mitigations or patches have been released, and the lack of vendor response increases the urgency for organizations to implement compensating controls.

For European organizations, especially those in the hospitality and travel sectors using FantasticLBP Hotels Server, this vulnerability poses significant risks. Exploitation could lead to unauthorized disclosure of personal customer data, including booking details and potentially payment information, violating GDPR and other privacy regulations. Data integrity could be compromised, allowing attackers to alter bookings or inject fraudulent data, disrupting business operations and damaging reputation. Availability may also be affected if attackers execute destructive SQL commands, causing service outages. The public availability of exploit code increases the risk of automated attacks and widespread exploitation. Non-compliance with data protection laws due to breaches could result in substantial fines and legal consequences. The rolling release nature of the software complicates patch management, increasing the window of exposure. Organizations in countries with large tourism industries and high adoption of this software are particularly vulnerable to operational and financial impacts.

Given the absence of an official patch, European organizations should implement immediate compensating controls. First, apply strict input validation and sanitization on all parameters, especially subjectId and cityName, to prevent injection of malicious SQL code. Refactor the application code to use parameterized queries or prepared statements wherever database inputs are handled. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the vulnerable endpoints. Restrict network access to the Hotels Server API to trusted IP ranges and monitor logs for suspicious activity. Conduct thorough code audits to identify and remediate similar injection points. Implement database-level permissions to limit the impact of a successful injection, ensuring the application uses least privilege accounts. Regularly back up databases to enable recovery from potential destructive attacks. Engage with the vendor for updates and consider alternative software solutions if no timely patch is forthcoming. Finally, raise awareness among security teams to prioritize monitoring and incident response readiness for this vulnerability.