CVE-2025-8967 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in an unspecified function within the /admin/operations/packages.php file, where the 'pname' parameter is improperly sanitized. This allows an attacker to inject malicious SQL code remotely without requiring authentication or user interaction. Exploiting this vulnerability can lead to unauthorized access to the backend database, enabling attackers to read, modify, or delete sensitive data related to tour packages, bookings, or customer information. The vulnerability has a CVSS 4.0 base score of 6.9 (medium severity), reflecting its network attack vector, low attack complexity, and no privileges or user interaction needed. While no public exploits are currently known in the wild, the disclosure of the exploit code increases the risk of exploitation. The vulnerability impacts confidentiality, integrity, and availability of the affected system's data, with potential for data leakage or manipulation that could disrupt business operations or damage customer trust.

For European organizations using the itsourcecode Online Tour and Travel Management System, this vulnerability poses a significant risk to the confidentiality and integrity of customer and operational data. Given the tourism sector's importance in Europe, a successful attack could lead to exposure of personal identifiable information (PII), financial details, and booking records, potentially violating GDPR regulations and resulting in legal and financial penalties. Additionally, manipulation or deletion of package data could disrupt service availability, harming business continuity and reputation. Attackers could leverage this vulnerability to pivot into broader network access, especially if the system is integrated with other internal platforms. The remote, unauthenticated nature of the exploit increases the threat level, as attackers can launch attacks without insider access or user interaction, making it easier to target multiple organizations simultaneously.

To mitigate this vulnerability, organizations should immediately apply any available patches or updates from itsourcecode once released. In the absence of official patches, implementing input validation and parameterized queries or prepared statements in the /admin/operations/packages.php file to sanitize the 'pname' parameter is critical. Web application firewalls (WAFs) should be configured to detect and block SQL injection patterns targeting this parameter. Restricting administrative interface access through network segmentation and VPNs can reduce exposure. Regular security audits and code reviews should be conducted to identify similar injection flaws. Additionally, monitoring database logs for unusual queries and setting up intrusion detection systems can help detect exploitation attempts early. Organizations should also ensure backups are current and tested to enable recovery in case of data corruption or loss.