CVE-2025-1964
Published: 05 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-1964 is a SQL injection vulnerability rated as critical in projectworlds Online Hotel Booking version 1.0. The flaw resides in the processing of the /booknow.php?roomname=Duplex endpoint, where manipulation of the 'checkin' argument enables SQL injection. It is classified under CWE-74 and CWE-89, with a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Other parameters may also be susceptible.
The vulnerability allows remote attackers with no privileges or user interaction to exploit it over the network with low complexity. By crafting a malicious request targeting the 'checkin' parameter, an attacker can inject SQL payloads, potentially leading to limited impacts on confidentiality, integrity, and availability, such as unauthorized data access, modification, or disruption.
Advisories and details are available via VulDB entries and a GitHub issue tracker, which document the issue and public disclosure of the exploit. No specific patches or mitigations are detailed in the core CVE information.
The exploit has been publicly disclosed, increasing the risk of real-world exploitation against exposed instances of the affected software.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Unauthenticated SQL injection in public-facing web application (/booknow.php) enables initial access via exploitation (T1190), arbitrary data collection from backend databases (T1213.006), and stored data manipulation (T1565.001).