CVE-2025-8971 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability exists in the /admin/operations/travellers.php file, specifically through the manipulation of the 'val-username' parameter. This parameter is susceptible to injection of malicious SQL code, allowing an attacker to alter the intended SQL queries executed by the backend database. The vulnerability can be exploited remotely without any authentication or user interaction, making it highly accessible to attackers. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity, no privileges required) and the potential impact on confidentiality, integrity, and availability, albeit with limited scope and impact. The vulnerability does not require user interaction and affects the confidentiality, integrity, and availability of the system with low impact severity on each. Although no public exploits are currently known in the wild, the exploit details have been publicly disclosed, increasing the risk of exploitation by opportunistic attackers. The Online Tour and Travel Management System is typically used by travel agencies and tour operators to manage bookings, customer data, and operational workflows, meaning exploitation could lead to unauthorized data access, data manipulation, or disruption of services critical to business operations.

For European organizations using the itsourcecode Online Tour and Travel Management System, this vulnerability poses a significant risk to the confidentiality and integrity of customer and operational data. Exploitation could lead to unauthorized disclosure of personal identifiable information (PII) of travelers, including names, contact details, and travel itineraries, which would have GDPR compliance implications. Data manipulation could disrupt booking processes, leading to financial losses and reputational damage. Availability impact, while rated low, could still cause operational disruptions affecting customer service and business continuity. Given the remote and unauthenticated nature of the exploit, attackers could target vulnerable systems en masse, increasing the risk of widespread compromise. The tourism sector is vital in many European economies, and disruption or data breaches in this sector could have cascading effects on customer trust and regulatory scrutiny.

Organizations should immediately audit their deployments of the itsourcecode Online Tour and Travel Management System version 1.0 to identify vulnerable instances. Since no official patch is currently available, mitigation should focus on implementing web application firewalls (WAFs) with rules specifically designed to detect and block SQL injection attempts targeting the 'val-username' parameter. Input validation and parameterized queries should be enforced in the application code to prevent injection. Network segmentation and restricting access to the admin interface to trusted IP addresses can reduce exposure. Monitoring and logging of database queries and web application logs should be enhanced to detect suspicious activities. Organizations should also prepare incident response plans for potential exploitation and consider migrating to updated or alternative software solutions once patches or fixes become available. Regular vulnerability scanning and penetration testing focused on injection flaws are recommended to proactively identify and remediate similar issues.