CVE-2025-8380 is a cross-site scripting (XSS) vulnerability identified in version 1.0 of the Campcodes Online Hotel Reservation System, specifically within the /admin/add_query_account.php file. The vulnerability arises from improper sanitization or validation of the 'Name' parameter, which can be manipulated remotely by an attacker to inject malicious scripts. This type of vulnerability allows attackers to execute arbitrary JavaScript code in the context of the victim's browser session when they access a crafted URL or interact with the vulnerable interface. The CVSS 4.0 base score is 5.1, indicating a medium severity level. The vector details show that the attack can be performed remotely (AV:N) with low attack complexity (AC:L), does not require authentication (AT:N), but does require some user interaction (UI:P). The vulnerability impacts the confidentiality and integrity of user data by potentially allowing session hijacking, credential theft, or unauthorized actions performed on behalf of the user. However, it does not directly affect system availability or require privileges to exploit. No patches or fixes have been publicly disclosed yet, and there are no known exploits actively used in the wild at this time. The vulnerability is classified as problematic and publicly disclosed, which increases the risk of exploitation once exploit code becomes widely available. Given that the affected product is an online hotel reservation system, the vulnerability could be leveraged to target hotel administrators or staff who access the admin panel, potentially compromising sensitive booking or customer information.

For European organizations, particularly those in the hospitality sector using Campcodes Online Hotel Reservation System version 1.0, this vulnerability poses a risk of unauthorized access to administrative functions and sensitive customer data. Exploitation could lead to theft of personal identifiable information (PII), booking details, and payment information, undermining customer trust and violating data protection regulations such as GDPR. Additionally, successful XSS attacks can facilitate further attacks like session hijacking or phishing, increasing the risk of broader compromise within the organization. The impact is heightened for organizations with high volumes of online bookings or those integrated with other internal systems. The medium severity rating suggests that while the vulnerability is not critical, it still requires timely attention to prevent exploitation, especially since the attack vector is remote and does not require authentication.

Organizations should immediately review and restrict access to the /admin/add_query_account.php interface, limiting it to trusted IP addresses or VPN users where possible. Implementing robust input validation and output encoding on the 'Name' parameter is critical to prevent script injection. Web Application Firewalls (WAFs) can be configured to detect and block common XSS attack patterns targeting this endpoint. Since no official patches are available, organizations should consider temporary mitigations such as disabling the vulnerable functionality if feasible or applying custom code fixes to sanitize inputs. Regular security training for administrative users to recognize phishing and suspicious links can reduce the risk of successful exploitation. Monitoring web server logs for unusual requests to the vulnerable endpoint can help detect attempted attacks early. Finally, organizations should engage with the vendor for timely patch releases and apply updates as soon as they become available.