CVE-2025-9153 is a medium-severity vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability resides in the /admin/operations/travellers.php file, specifically in the handling of the 'photo' argument. This flaw allows an attacker to perform an unrestricted file upload remotely without requiring user interaction or authentication. The vulnerability is characterized by the ability to upload arbitrary files, which can lead to remote code execution or server compromise if malicious files such as web shells are uploaded. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P) indicates that the attack can be launched over the network with low attack complexity and no user interaction, but requires low privileges (PR:L). The impact on confidentiality, integrity, and availability is low individually but combined can lead to significant compromise. Although no official patch or exploit in the wild has been reported yet, the exploit code is publicly available, increasing the risk of exploitation. The vulnerability affects only version 1.0 of the product, which is a niche software used in the tour and travel management sector.

For European organizations, especially those in the travel and tourism industry using the itsourcecode Online Tour and Travel Management System, this vulnerability poses a tangible risk. Successful exploitation can lead to unauthorized access, data breaches involving traveler personal information, and potential disruption of business operations. Given the nature of the travel industry, which handles sensitive personal and payment data, exploitation could result in regulatory non-compliance with GDPR, financial penalties, and reputational damage. Additionally, attackers could leverage the unrestricted upload to deploy malware or ransomware, impacting availability and causing operational downtime. The medium severity rating suggests that while the vulnerability is not trivial, it requires some level of access, which may limit widespread exploitation but still represents a significant threat to affected entities.

Organizations should immediately audit their use of the itsourcecode Online Tour and Travel Management System version 1.0 and assess exposure to the /admin/operations/travellers.php endpoint. Since no official patch is currently available, mitigation should focus on restricting access to the administrative interface through network segmentation, VPNs, or IP whitelisting to limit potential attackers. Implementing strict file upload controls such as validating file types, enforcing file size limits, and scanning uploaded files for malware can reduce risk. Monitoring web server logs for suspicious upload attempts and anomalous activity is critical. If possible, upgrading to a newer, patched version of the software or switching to alternative solutions should be prioritized once available. Additionally, applying web application firewalls (WAFs) with custom rules to detect and block malicious upload attempts can provide an additional layer of defense.