CVE-2025-6355 in Online Hotel Reservation Systeminfo

Summary

by MITRE • 06/20/2025

A vulnerability has been found in SourceCodester Online Hotel Reservation System 1.0 and classified as critical. This vulnerability affects unknown code of the file /admin/execeditroom.php. The manipulation of the argument userid leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 06/26/2025

The vulnerability identified as CVE-2025-6355 represents a critical sql injection flaw within the SourceCodester Online Hotel Reservation System version 1.0. This system, designed for hotel management and reservation processing, contains a dangerous code execution vulnerability in the administrative component, specifically within the /admin/execeditroom.php file. The flaw stems from inadequate input validation and sanitization of user-provided data, creating a pathway for malicious actors to manipulate database operations through carefully crafted sql commands.

The technical exploitation of this vulnerability occurs through the manipulation of the userid parameter within the execeditroom.php script. When an attacker submits a malicious userid value, the application fails to properly escape or validate the input before incorporating it into sql queries. This allows attackers to inject arbitrary sql code that executes within the database context, potentially enabling full database compromise. The vulnerability is classified as remotely exploitable, meaning attackers do not require physical access to the system or local network privileges to initiate the attack, significantly expanding the potential attack surface.

The operational impact of this vulnerability extends beyond simple data theft, as successful exploitation could lead to complete system compromise including unauthorized access to guest reservation data, financial information, and administrative credentials. The disclosed exploit demonstrates that this vulnerability is not theoretical but actively being used by threat actors, making it particularly dangerous for organizations running this specific version of the hotel reservation system. Database administrators and security teams must consider the potential for privilege escalation and data exfiltration when assessing the risk posed by this vulnerability.

Organizations utilizing this software should immediately implement multiple layers of mitigation including input validation, parameterized queries, and web application firewalls to prevent exploitation. The vulnerability aligns with CWE-89 sql injection classification and maps to ATT&CK technique T1190 for exploitation of remote services, while also potentially enabling T1078 credential access through database compromise. Regular security updates and patch management procedures should be prioritized, and network segmentation should be implemented to limit potential lateral movement if compromise occurs. Additionally, monitoring for unusual database access patterns and implementing proper access controls for administrative functions will help detect and prevent unauthorized exploitation attempts.

Responsible

VulDB

Disclosure

06/20/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00421

KEV

no

Activities

very low

Sector

Hospital

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!