CVE-2025-13208: Critical SQL Injection Risk in FantasticLBP Hotels Server

Overview

CVE-2025-13208 describes a SQL Injection vulnerability found in FantasticLBP Hotels Server up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0. This flaw allows a remote attacker to inject malicious SQL code through the subjectId or cityName arguments of the controller/api/hotelList.php file. Exploitation of this vulnerability could lead to unauthorized data access, modification, or deletion. A public exploit is available, increasing the risk of exploitation. Notably, the vendor was contacted but has not responded to the disclosure.

Technical Details

The vulnerability resides within the controller/api/hotelList.php file of FantasticLBP Hotels Server. Specifically, it’s within an unknown function that processes user-supplied input from the subjectId and cityName parameters. These parameters are not properly sanitized or validated before being incorporated into an SQL query. This lack of input sanitization allows an attacker to inject arbitrary SQL code, potentially bypassing authentication and authorization mechanisms.

The fact that FantasticLBP Hotels Server uses a rolling release model complicates patching efforts. Version information for affected or updated releases is unavailable, making it difficult to determine if a specific instance is vulnerable. The availability of a public exploit significantly increases the likelihood of exploitation.

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) assigns CVE-2025-13208 a score of 6.3 (Medium). This score reflects the following characteristics:

• Attack Vector (AV): Network (N) – The vulnerability is exploitable remotely.
• Attack Complexity (AC): Low (L) – The conditions for successful exploitation are relatively straightforward.
• Privileges Required (PR): None (N) – No privileges are required to exploit the vulnerability.
• User Interaction (UI): None (N) – No user interaction is required to trigger the vulnerability.
• Scope (S): Unchanged (U) – An exploited vulnerability results in a compromise of the same security authority.
• Confidentiality Impact (C): Low (L) – There is limited disclosure of information assets.
• Integrity Impact (I): Low (L) – There is some modification of information assets.
• Availability Impact (A): Low (L) – There is reduced performance or interruptions in resource availability.

Possible Impact

Successful exploitation of CVE-2025-13208 could have significant consequences, including:

• Data Breach: Sensitive hotel data, customer information, booking details, and financial records could be compromised.
• Account Takeover: Attackers could gain unauthorized access to user accounts, including administrator accounts, potentially leading to further system compromise.
• Data Manipulation: Attackers could modify or delete critical data, disrupting hotel operations and potentially causing financial losses.
• System Compromise: In severe cases, the attacker could gain complete control of the server, allowing them to install malware, deface the website, or use the server for malicious purposes.

Mitigation and Patch Steps

Due to the lack of vendor response and the rolling release model, direct patching information is unavailable. However, the following mitigation steps are recommended:

• Input Sanitization: Thoroughly sanitize and validate all user-supplied input, especially the subjectId and cityName parameters in the controller/api/hotelList.php file. Use parameterized queries or prepared statements to prevent SQL injection.
• Web Application Firewall (WAF): Implement a WAF to detect and block malicious SQL injection attempts. Configure the WAF with rules specifically designed to mitigate SQL injection attacks.
• Database Access Control: Restrict database access privileges to the minimum necessary for each application user. Avoid using overly permissive database accounts.
• Code Review: Conduct regular code reviews to identify and remediate potential vulnerabilities. Focus on areas where user input is processed and used in database queries.
• Monitor for Suspicious Activity: Implement robust logging and monitoring to detect suspicious activity, such as unusual database queries or attempts to access sensitive data.
• Consider Alternative Solutions: If mitigation efforts prove insufficient, consider migrating to a more secure hotel management platform with a proven track record of security and responsiveness to vulnerabilities.

References

• GitHub Issue 1
• GitHub Issue 2
• VulDB Entry (ctiid.332527)
• VulDB Entry (id.332527)
• VulDB Submit 685620
• VulDB Submit 685622