CVE-2025-9008 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability arises from improper handling of the 'uname' parameter within the /admin/sms_setting.php file. An attacker can manipulate this parameter to inject malicious SQL code, potentially allowing unauthorized access to the backend database. The vulnerability is remotely exploitable without requiring authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (network attack vector, low attack complexity) and the limited but notable impact on confidentiality, integrity, and availability. The vulnerability does not require privileges or user interaction, and the scope is limited to the affected system. Although no known exploits are currently observed in the wild, the public disclosure of the exploit increases the likelihood of exploitation attempts. The vulnerability could allow attackers to extract sensitive data, modify or delete records, or disrupt system operations, impacting the integrity and availability of the system. Given the system's role in managing tour and travel operations, such compromise could lead to operational disruptions and data breaches involving customer information.

For European organizations using the itsourcecode Online Tour and Travel Management System version 1.0, this vulnerability poses a significant risk. The tourism and travel sector is critical in many European economies, and a successful SQL injection attack could lead to unauthorized disclosure of personal customer data, including booking details and contact information, potentially violating GDPR requirements. Additionally, attackers could manipulate booking or payment records, causing financial discrepancies and operational disruptions. The availability of the system could be impacted, leading to service outages and reputational damage. Given the remote exploitability without authentication, attackers could target these systems from anywhere, increasing the threat landscape. Organizations relying on this software must consider the potential for data breaches and service interruptions, which could have cascading effects on customer trust and regulatory compliance.

Since no official patches are currently available, European organizations should implement immediate compensating controls. These include: 1) Applying Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'uname' parameter in /admin/sms_setting.php; 2) Restricting network access to the administration interface to trusted IP addresses only, minimizing exposure; 3) Conducting thorough input validation and sanitization on all user-supplied inputs, especially the 'uname' parameter, to prevent injection; 4) Monitoring logs for suspicious database queries or repeated failed attempts indicative of exploitation; 5) Planning and prioritizing an upgrade or patch deployment once the vendor releases a fix; 6) Considering temporary disabling or restricting access to the vulnerable module if feasible; 7) Educating IT staff about the vulnerability and ensuring incident response readiness. These targeted actions go beyond generic advice by focusing on the specific vulnerable component and attack vector.