Platform
php
Fixed in
1.0.1
CVE-2025-9924 identifies a SQL Injection vulnerability within the Travel Management System, specifically impacting version 1.0. This flaw allows attackers to potentially manipulate database queries, leading to unauthorized data access or modification. The vulnerability resides within the /enquiry.php file, and exploitation can be achieved remotely. A patch is available in version 1.0.1.
Successful exploitation of CVE-2025-9924 could grant an attacker unauthorized access to sensitive data stored within the Travel Management System's database. This includes potentially accessing user credentials, financial information, travel itineraries, and other confidential details. An attacker could also modify or delete data, leading to data corruption and disruption of services. The remote nature of the vulnerability significantly expands the potential attack surface, making it accessible to a wide range of malicious actors. The SQL injection allows for arbitrary database queries, potentially enabling privilege escalation or even complete system compromise depending on database permissions.
This vulnerability has been publicly disclosed, increasing the risk of exploitation. While no active campaigns have been definitively linked to CVE-2025-9924 at the time of writing, the availability of public information makes it a potential target for opportunistic attackers. The vulnerability is not currently listed on CISA KEV, but its HIGH severity warrants monitoring. A public proof-of-concept may be available or developed shortly.
Exploit Status
EPSS
0.03% (9% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-9924 is to immediately upgrade the Travel Management System to version 1.0.1, which includes the necessary fix. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the 't2' parameter within /enquiry.php to prevent malicious SQL code from being injected. Web application firewalls (WAFs) configured with rules to detect and block SQL injection attempts can provide an additional layer of defense. After upgrading, confirm the vulnerability is resolved by attempting a SQL injection attack on the /enquiry.php endpoint with a known malicious payload.
Update to a patched version of the Travel Management System. If no version is available, review and sanitize the inputs of the 't2' parameter in the 'enquiry.php' file to prevent (SQL Injection). Use prepared statements or escaping functions provided by PHP to protect the database.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-9924 is a SQL Injection vulnerability affecting Travel Management System version 1.0, allowing attackers to potentially manipulate database queries and access sensitive data.
If you are using Travel Management System version 1.0, you are potentially affected. Upgrade to version 1.0.1 to mitigate the risk.
The recommended fix is to upgrade to version 1.0.1. As a temporary workaround, implement input validation and sanitization on the 't2' parameter in /enquiry.php.
While no active campaigns have been confirmed, the public disclosure increases the risk of exploitation. Monitor your systems for suspicious activity.
Refer to the projectworlds website or relevant security mailing lists for the official advisory regarding CVE-2025-9924.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.