CVE-2025-9010 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability exists in the /admin/booking_report.php file, specifically through the manipulation of the 'from_date' parameter. This parameter is not properly sanitized or validated, allowing an attacker to inject malicious SQL code remotely without requiring any authentication or user interaction. Exploiting this flaw could enable an attacker to execute arbitrary SQL commands on the backend database, potentially leading to unauthorized data access, data modification, or deletion. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (remote), with low attack complexity and no privileges or user interaction required. The impact on confidentiality, integrity, and availability is limited but present, as the vulnerability allows partial compromise of the database through SQL injection. Although no known exploits are currently observed in the wild, the public disclosure of the exploit code increases the risk of exploitation. The affected product is a niche tour and travel management system, which may be used by small to medium-sized travel agencies to manage bookings and reports. The vulnerability's exploitation could lead to leakage of sensitive customer booking data, manipulation of booking records, or disruption of reporting functions, impacting business operations and customer trust.

For European organizations, particularly travel agencies and tour operators using the itsourcecode Online Tour and Travel Management System version 1.0, this vulnerability poses a tangible risk. Exploitation could result in unauthorized access to customer personal data, including travel itineraries, dates, and potentially payment-related information if stored in the database. This could lead to violations of GDPR requirements concerning data confidentiality and integrity, resulting in regulatory penalties and reputational damage. Additionally, manipulation or deletion of booking data could disrupt business operations, causing financial losses and customer dissatisfaction. Since the vulnerability can be exploited remotely without authentication, attackers from anywhere could target vulnerable European organizations. The medium severity rating suggests that while the impact is significant, it may not lead to full system compromise but still represents a serious threat to data security and business continuity in the tourism sector.

To mitigate this vulnerability, organizations should immediately apply any available patches or updates from itsourcecode for the Online Tour and Travel Management System. If no official patch exists, implement input validation and parameterized queries or prepared statements for the 'from_date' parameter in /admin/booking_report.php to prevent SQL injection. Employ web application firewalls (WAFs) configured to detect and block SQL injection attempts targeting this endpoint. Restrict access to the /admin directory by IP whitelisting or VPN to limit exposure. Conduct thorough security audits of the application codebase to identify and remediate similar injection flaws. Regularly monitor logs for suspicious query patterns or repeated failed attempts to exploit this vulnerability. Finally, ensure that database accounts used by the application have the minimum necessary privileges to limit the impact of a potential injection attack.