CVE-2025-15127
SQL Injection in FantasticLBP Hotels_Server /controller/api/Room.php
Publication date: 2025-12-28
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fantasticlbp | hotels_server | to 2019-03-23 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a SQL injection issue in the FantasticLBP Hotels_Server, specifically in the /controller/api/Room.php file. Manipulating the hotelId argument allows an attacker to inject malicious SQL code. The attack can be performed remotely, and the exploit has been publicly disclosed.
How can this vulnerability impact me? :
The vulnerability can allow an attacker to execute unauthorized SQL commands on the database, potentially leading to data leakage, data modification, or disruption of service. Since it can be exploited remotely without authentication, it poses a significant risk to the confidentiality, integrity, and availability of the affected system.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized access, modification, and deletion of sensitive data through SQL injection, which compromises data confidentiality, integrity, and availability. Such a breach can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate strict controls over personal and sensitive information. Failure to secure the system against this vulnerability may result in violations of these standards due to potential data leaks and unauthorized data manipulation. [1, 2, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by testing the 'hotelId' parameter in the /controller/api/Room.php endpoint for SQL injection. One common method is to use sqlmap, an automated SQL injection tool, to test for exploitable injection points. For example, you can run a command like: sqlmap -u "http://target/controller/api/Room.php" --data="hotelId=1" --risk=3 --level=5 to test the parameter. Additionally, attackers may be found by monitoring for suspicious HTTP requests targeting this endpoint or by using Google dorking queries such as 'inurl:controller/api/Room.php' to locate vulnerable targets. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include discontinuing use of the affected component or replacing it with an alternative product, as no known countermeasures or patches exist. It is critical to avoid using the vulnerable version of Hotels_Server up to commit 67b44df162fab26df209bd5d5d542875fcbec1d0. Additionally, applying input validation and sanitization on the 'hotelId' parameter to prevent SQL injection is necessary. Monitoring and blocking suspicious requests targeting the vulnerable endpoint can also help reduce risk until a secure version or patch is available. [1, 2, 3]