CVE-2025-9155 is a SQL Injection vulnerability identified in version 1.0 of the itsourcecode Online Tour and Travel Management System. The vulnerability exists in the /user/forget_password.php script, specifically in the handling of the 'email' parameter. An attacker can manipulate this parameter to inject malicious SQL code, which the backend database executes. This flaw allows an unauthenticated remote attacker to potentially access, modify, or delete sensitive data within the database. The vulnerability does not require any user interaction or privileges, making it remotely exploitable over the network. The CVSS 4.0 base score is 6.9 (medium severity), reflecting the ease of exploitation (no authentication, no user interaction) but limited scope and impact on confidentiality, integrity, and availability (each rated low). The vulnerability has been publicly disclosed, but no known exploits are currently observed in the wild. The affected product is a niche online tour and travel management system, which may be used by small to medium travel agencies to manage bookings, user accounts, and related data. The lack of a patch link indicates that a fix may not yet be available, increasing the risk for organizations still running this version.

For European organizations, particularly small and medium-sized travel agencies using the itsourcecode Online Tour and Travel Management System 1.0, this vulnerability poses a significant risk. Exploitation could lead to unauthorized access to customer data, including personal identifiable information (PII) such as email addresses, booking details, and potentially payment information if stored in the database. This compromises confidentiality and may result in data breaches subject to GDPR penalties. Additionally, attackers could alter or delete booking records, impacting data integrity and availability of services, leading to operational disruptions and reputational damage. Given the travel industry's importance in Europe and the sensitivity of customer data, exploitation could have legal and financial consequences. However, the limited market penetration of this specific software and the medium severity rating somewhat constrain the overall impact.

Organizations using the itsourcecode Online Tour and Travel Management System 1.0 should immediately audit their systems for this vulnerability. Specific mitigations include: 1) Applying any available patches or updates from the vendor as soon as they are released. 2) If patches are not yet available, implement web application firewall (WAF) rules to detect and block SQL injection patterns targeting the 'email' parameter in /user/forget_password.php. 3) Conduct input validation and sanitization on all user-supplied data, especially the 'email' field, to prevent injection attacks. 4) Restrict database user permissions to the minimum necessary to limit the impact of a successful injection. 5) Monitor logs for suspicious activities related to password reset requests and unusual database queries. 6) Consider isolating or replacing the vulnerable system if it cannot be secured promptly. 7) Educate staff about the risks and ensure incident response plans are updated to handle potential data breaches.