Skip to main content

Moderec Tourtella CVE-2025-4784

CRITICAL
SQL Injection (CWE-89)
2025-07-24 iletisim@usom.gov.tr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 05, 2026 - 16:31 vuln.today

DescriptionCVE.org

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Moderec Tourtella allows SQL Injection.

This issue affects Tourtella: before 26.05.2025.

AnalysisAI

SQL injection in Moderec Tourtella versions prior to 26.05.2025 allows remote unauthenticated attackers to manipulate backend database queries via crafted input, leading to full compromise of confidentiality, integrity, and availability. The flaw was reported through Turkey's national CERT (USOM) under advisory TR-25-0176 and carries a critical 9.8 CVSS score, though no public exploit identified at time of analysis and no EPSS score was provided.

Technical ContextAI

Tourtella is a tourism/travel-industry web application produced by Turkish vendor Moderec, identified by CPE cpe:2.3:a:moderec:tourtella. The vulnerability is classified as CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), meaning the application concatenates or interpolates untrusted input directly into SQL statements without proper parameterization or escaping. Root cause class implies a query-building path where user-controlled values (likely HTTP request parameters) reach the database driver unsanitized, allowing attackers to alter query logic, append UNION SELECTs, or invoke stacked/blind techniques depending on the underlying DBMS.

RemediationAI

Upgrade Moderec Tourtella to the build released on or after 26.05.2025, which is the cutoff stated in the advisory (Patch available per vendor advisory; no semantic version string is published in the available references - confirm exact build with Moderec directly). Customers should consult the USOM bulletin TR-25-0176 at https://www.usom.gov.tr/bildirim/tr-25-0176 and https://siberguvenlik.gov.tr/guvenlik-bildirimleri/detay/tr-25-0176 for vendor coordination details. Until patched, restrict access to the Tourtella application by placing it behind a WAF tuned for SQLi signatures (trade-off: tuning required to avoid breaking legitimate booking/search queries), IP-allowlist administrative endpoints, enable database-level least privilege so the app account cannot read sensitive tables or execute DDL, and turn on query logging to detect anomalous UNION/OR-based patterns; avoid simply disabling search/filter features unless business impact is acceptable.

Share

CVE-2025-4784 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy