CVE-2025-9924 is a SQL Injection vulnerability identified in version 1.0 of the projectworlds Travel Management System, specifically within the /enquiry.php file. The vulnerability arises from improper sanitization or validation of the 't2' parameter, which an attacker can manipulate to inject malicious SQL code. This flaw allows remote attackers to execute arbitrary SQL commands on the backend database without requiring authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 6.9, indicating a medium severity level. The attack vector is network-based (AV:N), with low attack complexity (AC:L), no privileges required (PR:N), and no user interaction needed (UI:N). The impact on confidentiality, integrity, and availability is low to limited (VC:L, VI:L, VA:L), suggesting that while the attacker can extract or modify some data, the overall damage is somewhat constrained. No patches or fixes have been disclosed yet, and there are no known exploits actively observed in the wild. The public disclosure of the exploit code increases the risk of exploitation by opportunistic attackers. The vulnerability's presence in a travel management system implies potential exposure of sensitive travel-related data, booking information, or customer details if exploited. Given the remote exploitability and lack of authentication requirements, this vulnerability represents a significant risk to affected deployments, especially if the system is exposed to the internet or untrusted networks.

For European organizations using the projectworlds Travel Management System 1.0, this vulnerability could lead to unauthorized access to sensitive travel and customer data, including personal identification information, travel itineraries, and booking details. Such data breaches could result in privacy violations under GDPR, leading to regulatory fines and reputational damage. The integrity of booking records could be compromised, causing operational disruptions and financial losses. Although the CVSS indicates limited impact on confidentiality, integrity, and availability, the ability to remotely inject SQL commands without authentication means attackers could potentially escalate their access or pivot within the network. This risk is heightened for organizations that expose the Travel Management System to public networks or integrate it with other critical systems. Additionally, the public availability of exploit code increases the likelihood of automated scanning and exploitation attempts, making timely mitigation essential to prevent data breaches and service disruptions.

1. Immediate mitigation should include restricting external access to the Travel Management System, ideally placing it behind a VPN or firewall that limits access to trusted users only. 2. Implement web application firewall (WAF) rules specifically designed to detect and block SQL injection attempts targeting the 't2' parameter in /enquiry.php. 3. Conduct a thorough code review and input validation audit of the /enquiry.php file and related components to sanitize and parameterize all database queries, eliminating direct concatenation of user inputs. 4. If possible, upgrade to a patched version once available from the vendor or apply vendor-provided security patches promptly. 5. Monitor logs for unusual database query patterns or repeated access attempts to /enquiry.php that may indicate exploitation attempts. 6. Employ database-level protections such as least privilege principles for the database user accounts used by the application, limiting the potential damage of any injection. 7. Educate system administrators and security teams about this vulnerability and ensure incident response plans are updated to handle potential exploitation scenarios.