CVE-2025-13545 identifies a SQL injection vulnerability in the ashraf-kabir travel-agency software, affecting versions up to commit 1f25aa03544bc5fb7a9e846f8a7879cecdb0cad3. The vulnerability resides in the /admin_area/index.php file, specifically through the edit_pack parameter, which is improperly sanitized, allowing attackers to inject malicious SQL code. This injection can be exploited remotely without user interaction but requires high privileges (authentication with elevated rights) to execute. The vulnerability impacts confidentiality, integrity, and availability at a low level, potentially allowing attackers to read or modify limited data or disrupt service. The product uses continuous delivery with rolling releases, complicating version tracking and patch availability. The vendor has not responded to early disclosure attempts, and no official patches or updates have been released. Although no known exploits are currently active in the wild, the public disclosure increases the risk of exploitation. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no user interaction, and no scope change, resulting in a medium severity rating of 5.1. The lack of vendor response and patch availability necessitates proactive defensive measures by users.

For European organizations using the ashraf-kabir travel-agency software, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive administrative data, manipulation of travel packages or bookings, and potential disruption of travel services. Confidentiality breaches could expose customer information, while integrity impacts might allow attackers to alter booking details or pricing, undermining trust and operational reliability. Availability impacts, though limited, could disrupt administrative functions critical to travel operations. Given the administrative nature of the affected functionality, exploitation requires high privilege access, reducing the risk from external attackers but increasing concern if insider threats or compromised credentials exist. The lack of vendor patches and public exploit code availability heightens urgency for mitigation. Organizations in Europe with travel agencies or partners using this software must assess exposure and implement compensating controls to prevent data breaches and service interruptions.

1. Immediately restrict access to the /admin_area/index.php interface to trusted internal networks or VPNs to limit exposure. 2. Implement strict input validation and parameter sanitization on the edit_pack parameter at the web application firewall (WAF) or reverse proxy level to block SQL injection attempts. 3. Conduct thorough code reviews and penetration testing focused on SQL injection vectors within the application, especially around administrative functions. 4. Monitor database logs and application logs for unusual queries or error messages indicative of injection attempts. 5. Enforce strong authentication and privilege management to reduce the risk of compromised high-privilege accounts. 6. If possible, deploy runtime application self-protection (RASP) tools to detect and block injection attacks in real time. 7. Engage with the vendor or community to track any forthcoming patches or updates and plan for timely application. 8. Consider isolating or segmenting the travel-agency application environment to limit lateral movement if exploited. 9. Educate administrators about the risk and signs of exploitation to enhance detection capabilities.