CVE-2025-8982 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The flaw exists in the /admin/operations/currency.php file, specifically through the manipulation of the 'curr_code' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an unauthenticated remote attacker to execute arbitrary SQL commands on the backend database. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The attack vector is network-based with low attack complexity and no privileges or user interaction needed. The impact on confidentiality, integrity, and availability is low to limited, suggesting that while the attacker can manipulate some data or extract information, the scope and severity of damage are somewhat constrained. No patches or fixes have been published yet, and no known exploits are reported in the wild, but the exploit details have been publicly disclosed, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche online tour and travel management system used primarily by travel agencies or related businesses to manage bookings, currency operations, and other administrative tasks.

For European organizations using the itsourcecode Online Tour and Travel Management System version 1.0, this vulnerability poses a tangible risk of unauthorized access to backend databases. Attackers could leverage the SQL injection to extract sensitive customer data, manipulate currency-related operations, or disrupt service availability. This could lead to data breaches involving personal identifiable information (PII) of travelers, financial data inconsistencies, and potential service outages impacting business continuity. Given the tourism sector's significance in Europe, especially in countries with large travel industries, exploitation could damage reputation and result in regulatory penalties under GDPR if personal data is compromised. However, the limited scope of the vulnerability and absence of known active exploits somewhat reduce immediate risk. Organizations relying on this software should consider the potential for targeted attacks, especially from threat actors interested in travel data or financial fraud.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Restricting access to the /admin/operations/currency.php endpoint by IP whitelisting or VPN-only access to limit exposure. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the 'curr_code' parameter. 3) Conducting thorough input validation and sanitization on all parameters, especially 'curr_code', to prevent injection attacks. 4) Monitoring database logs and web server logs for suspicious queries or anomalous activity related to currency operations. 5) Planning and prioritizing an upgrade or migration to a patched or alternative system version once available. 6) Educating administrative users about the risk and encouraging strong authentication and session management to reduce attack surface. 7) Regularly backing up databases to ensure recovery in case of data manipulation or corruption.