CVE-2025-6420 in Simple Online Hotel Reservation Systeminfo

Summary

by MITRE • 06/21/2025

A vulnerability was found in code-projects Simple Online Hotel Reservation System 1.0. It has been declared as critical. This vulnerability affects unknown code of the file /admin/add_room.php. The manipulation of the argument room_type leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 06/26/2025

The vulnerability identified as CVE-2025-6420 represents a critical sql injection flaw within the code-projects Simple Online Hotel Reservation System version 1.0. This system, designed for hotel room reservation management, contains a dangerous input validation weakness that allows remote attackers to execute malicious sql commands against the underlying database. The vulnerability specifically resides in the /admin/add_room.php file where the room_type parameter is processed without proper sanitization or validation, creating an exploitable vector for database manipulation.

The technical flaw manifests when an attacker supplies malicious input through the room_type argument in the add_room.php endpoint. This parameter is directly incorporated into sql query construction without appropriate parameterization or input filtering mechanisms. The vulnerability follows the common sql injection pattern where user-controllable data is concatenated into database queries rather than being properly escaped or bound as parameters. This allows an attacker to inject sql payload that can manipulate the database structure, extract sensitive information, modify records, or potentially gain unauthorized access to the underlying database system.

The operational impact of this vulnerability is severe given that it enables remote code execution and data compromise. Attackers can exploit this flaw from outside the network perimeter, making it particularly dangerous for web applications that are publicly accessible. The disclosure of exploit details to the public community accelerates the risk profile significantly, as malicious actors can immediately leverage this vulnerability without requiring advanced technical skills or reconnaissance. The attack surface extends beyond simple data theft to include complete database compromise, which could result in exposure of guest information, reservation details, financial data, and potentially system credentials.

Security mitigations for this vulnerability should prioritize immediate implementation of parameterized queries or prepared statements for all database interactions, particularly in the affected add_room.php file. Input validation and sanitization should be enforced at multiple layers including application-level filtering and database-level protection mechanisms. The system should implement proper access controls and authentication checks to limit administrative functions to authorized users only. Additionally, regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other application components. Organizations should also consider implementing web application firewalls and database activity monitoring to detect and prevent exploitation attempts. This vulnerability aligns with CWE-89 sql injection and follows attack patterns documented in the mitre ATT&CK framework under technique T1190 exploitation for client execution and T1071.1004 application layer protocol. The critical severity classification indicates that immediate remediation is essential to prevent potential data breaches and system compromise.

Responsible

VulDB

Disclosure

06/21/2025

Moderation

accepted

CPE

ready

Exploit

Download

EPSS

0.00448

KEV

no

Activities

very low

Sector

Hospital

Sources

Want to know what is going to be exploited?

We predict KEV entries!