CVE-2025-8984 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability exists in an unspecified function within the file /admin/operations/expense_category.php, specifically through the manipulation of the 'expense_name' parameter. This parameter is vulnerable to injection of malicious SQL code, allowing an attacker to interfere with the queries executed by the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, which significantly increases the attack surface. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector string (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) shows that the attack can be performed over the network with low complexity, no privileges or user interaction needed, and partial impact on confidentiality, integrity, and availability. The vulnerability allows an attacker to potentially read or modify sensitive data, corrupt database contents, or disrupt service availability. Although no public exploits are currently known to be actively used in the wild, the disclosure of the exploit code increases the risk of exploitation. The Online Tour and Travel Management System is likely used by travel agencies and tour operators to manage bookings, expenses, and operations, making the confidentiality and integrity of financial and customer data critical. The lack of available patches or mitigation details in the provided information suggests that affected organizations must take immediate defensive measures to protect their systems.

For European organizations, the impact of this SQL Injection vulnerability can be significant, especially for small to medium-sized travel agencies and tour operators relying on the itsourcecode Online Tour and Travel Management System version 1.0. Exploitation could lead to unauthorized access to sensitive financial data, customer personal information, and operational records, potentially resulting in data breaches that violate GDPR and other data protection regulations. Integrity compromise could allow attackers to alter financial records or booking details, causing operational disruptions and financial losses. Availability impacts could disrupt service continuity, affecting customer trust and business reputation. Given the travel industry's importance in Europe and the sensitivity of customer data handled, exploitation could also lead to regulatory fines and legal consequences. The remote and unauthenticated nature of the vulnerability increases the risk of widespread exploitation, especially if attackers automate scanning and exploitation attempts. Organizations using this system without timely remediation are at risk of targeted attacks or opportunistic exploitation by cybercriminals.

Since no official patches or updates are indicated, European organizations should implement immediate compensating controls. First, restrict external access to the /admin/operations/expense_category.php endpoint using network-level controls such as firewalls or VPNs to limit exposure to trusted internal users only. Implement Web Application Firewall (WAF) rules specifically designed to detect and block SQL injection patterns targeting the 'expense_name' parameter. Conduct thorough input validation and sanitization on all user-supplied data, especially parameters related to expense categories, to neutralize injection payloads. If possible, upgrade or migrate to a newer, patched version of the software or consider alternative solutions with better security track records. Regularly monitor logs for suspicious database query patterns or repeated failed attempts indicative of exploitation attempts. Employ database-level protections such as least privilege principles for the application database user to minimize the impact of a successful injection. Finally, prepare an incident response plan to quickly address any detected exploitation attempts and notify relevant data protection authorities if a breach occurs.