Hotel and Lodge Management System
CVE-2025-11469
LOW
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
1DescriptionCVE.org
A weakness has been identified in SourceCodester Hotel and Lodge Management System 1.0. The affected element is an unknown function of the file /pages/save_customer.php. Executing manipulation of the argument Contact can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be exploited.
AnalysisAI
SQL injection in SourceCodester Hotel and Lodge Management System 1.0 allows authenticated remote attackers to manipulate the Contact parameter in /pages/save_customer.php, enabling data exfiltration or modification with limited scope impact. Publicly available exploit code exists and the vulnerability carries a low CVSS score (2.1) due to requirement for prior authentication and limited technical impact, though the public exploit availability increases practical exploitation risk for unpatched instances.
Technical ContextAI
The vulnerability exists in a PHP-based hotel management application where user-supplied input from the Contact parameter is processed by the save_customer.php endpoint without proper parameterization or input validation. The affected file likely constructs SQL queries through string concatenation rather than prepared statements, enabling attackers to inject arbitrary SQL syntax. CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component) indicates the root cause is insufficient sanitization of user input before database query execution, though the CWE classification may be slightly imprecise for a direct SQL injection (typically CWE-89) - the underlying mechanism is failure to escape or parameterize the Contact field value.
RemediationAI
No vendor-released patch identified at time of analysis. The primary remediation is to upgrade to a patched version if the vendor (Nikhil Bhalerao / SourceCodester) releases one - verify at https://www.sourcecodester.com/. Until a patch is available, implement compensating controls: apply Web Application Firewall (WAF) rules to block SQL injection patterns in POST parameters sent to /pages/save_customer.php, restrict database user permissions to the minimum required operations (read-only for customer queries if write access is not necessary for the Contact field), disable or restrict access to the save_customer.php endpoint via network ACLs to trusted internal users only, and enforce strong authentication with multi-factor authentication to limit unauthorized account access. Additionally, review application logs for suspicious Contact parameter values (SQL keywords, quotes, dashes) and implement input validation to accept only expected contact format (phone numbers, email addresses) with strict character whitelisting.
More from same product – last 7 days
Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a
Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo
Share
External POC / Exploit Code
Leaving vuln.today