Moderec Tourtella CVE-2025-4784
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moderec Tourtella allows SQL Injection.
This issue affects Tourtella: before 26.05.2025.
AnalysisAI
SQL injection in Moderec Tourtella versions prior to 26.05.2025 allows remote unauthenticated attackers to manipulate backend database queries via crafted input, leading to full compromise of confidentiality, integrity, and availability. The flaw was reported through Turkey's national CERT (USOM) under advisory TR-25-0176 and carries a critical 9.8 CVSS score, though no public exploit identified at time of analysis and no EPSS score was provided.
Technical ContextAI
Tourtella is a tourism/travel-industry web application produced by Turkish vendor Moderec, identified by CPE cpe:2.3:a:moderec:tourtella. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning the application concatenates or interpolates untrusted input directly into SQL statements without proper parameterization or escaping. Root cause class implies a query-building path where user-controlled values (likely HTTP request parameters) reach the database driver unsanitized, allowing attackers to alter query logic, append UNION SELECTs, or invoke stacked/blind techniques depending on the underlying DBMS.
RemediationAI
Upgrade Moderec Tourtella to the build released on or after 26.05.2025, which is the cutoff stated in the advisory (Patch available per vendor advisory; no semantic version string is published in the available references - confirm exact build with Moderec directly). Customers should consult the USOM bulletin TR-25-0176 at https://www.usom.gov.tr/bildirim/tr-25-0176 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0176 for vendor coordination details. Until patched, restrict access to the Tourtella application by placing it behind a WAF tuned for SQLi signatures (trade-off: tuning required to avoid breaking legitimate booking/search queries), IP-allowlist administrative endpoints, enable database-level least privilege so the app account cannot read sensitive tables or execute DDL, and turn on query logging to detect anomalous UNION/OR-based patterns; avoid simply disabling search/filter features unless business impact is acceptable.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today