Hotel and Lodge Management System
CVE-2025-11399
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A security vulnerability has been detected in SourceCodester Hotel and Lodge Management System 1.0. This affects an unknown function of the file /pages/save_room.php. The manipulation of the argument floorno leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the floorno parameter in /pages/save_room.php, affecting data confidentiality and integrity with limited scope. CVSS score of 2.1 reflects low severity due to authentication requirement and limited impact, though publicly available exploit code exists and EPSS suggests minimal real-world exploitation probability at 0.03%.
Technical ContextAI
The vulnerability exists in a PHP-based hotel management application where user-supplied input from the floorno parameter is passed unsafely to SQL queries without proper input validation or parameterized statements. This is a classic SQL injection vulnerability (CWE-74: Improper Neutralization of Special Elements used in an SQL Command) where an authenticated user can craft malicious SQL syntax within the floorno argument to manipulate database queries. The affected file /pages/save_room.php processes room data through an unknown function that fails to sanitize or escape the floorno input before executing database operations.
RemediationAI
The primary remediation is to upgrade to a patched version if available from SourceCodester; however, no vendor-released patch version has been independently confirmed in available data. Immediate compensating controls include: (1) implement parameterized prepared statements (bound parameters) in /pages/save_room.php to neutralize SQL injection vectors - this prevents SQL syntax interpretation in user input with minimal code changes and no performance impact; (2) enforce input validation on the floorno parameter to accept only numeric values matching expected room floor numbers, rejecting any input containing SQL metacharacters or unexpected data types - this trades flexibility for security; (3) restrict database user permissions for the application connection to read-only or minimal write operations on room tables only, limiting damage from successful injection - requires database role reconfiguration but is a strong defense-in-depth layer. Contact SourceCodester at www.sourcecodester.com for vendor-specific guidance and patch availability.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today