CVE-2022-28607 in ISIC Tour Booking
Summary
by MITRE • 12/01/2022
An issue was discovered in asith-eranga ISIC tour booking through version published on Feb 13th 2018, allows attackers to gain sensitive information via the action parameter to /system/user/modules/mod_users/controller.php.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/20/2026
The vulnerability identified as CVE-2022-28607 represents a sensitive data exposure issue within the ISIC tour booking system developed by asith-eranga. This particular weakness exists in a version of the software released on February 13th 2018, indicating a significant security gap that has remained unaddressed for several years. The vulnerability manifests through the manipulation of the action parameter within the mod_users/controller.php file located in the system/user/modules directory structure, creating an attack surface that could potentially compromise user data and system integrity.
The technical flaw stems from inadequate input validation and parameter handling within the controller script that processes user-related operations. When attackers manipulate the action parameter through the specified endpoint, the system fails to properly sanitize or validate the input before processing it, leading to potential information disclosure vulnerabilities. This type of vulnerability falls under the category of improper input validation as classified by CWE-20, where the application does not adequately validate or sanitize user-supplied data before using it in operations that could expose sensitive information.
The operational impact of this vulnerability extends beyond simple data exposure, potentially allowing attackers to extract user credentials, personal information, or other sensitive data stored within the system. The attack vector specifically targets the user management module, which typically contains critical user account information, authentication details, and potentially session data. This weakness could enable threat actors to escalate privileges, conduct unauthorized access attempts, or perform identity theft operations against legitimate users of the tour booking platform. The vulnerability's persistence in an older version suggests that organizations may be running outdated systems with unpatched security flaws, creating extended attack windows for malicious actors.
Mitigation strategies for CVE-2022-28607 should prioritize immediate system updates and patches to address the identified input validation weakness. Organizations must implement proper parameter validation mechanisms within the mod_users/controller.php file to sanitize all incoming action parameters before processing them. This includes implementing strict input filtering, output encoding, and ensuring that the application follows secure coding practices as outlined in the OWASP Top Ten and NIST Cybersecurity Framework. Additionally, implementing proper access controls and authentication mechanisms within the user management module would significantly reduce the attack surface and prevent unauthorized information disclosure. Regular security audits and vulnerability assessments should be conducted to identify similar issues in legacy systems, while also ensuring that all software components are maintained with current security patches to prevent exploitation of known vulnerabilities. The ATT&CK framework categorizes this type of vulnerability under T1213 (Data from Information Repositories) and T1078 (Valid Accounts) as it enables attackers to access user information repositories and potentially escalate privileges through compromised user accounts.