Description
A vulnerability was detected in itsourcecode Online Hotel Management System 1.0. This impacts an unknown function of the file /admin/mod_amenities/controller.php?action=edit. Performing a manipulation of the argument amen_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-06-29
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker can inject malicious SQL code through the amen_id argument in the edit action of the /admin/mod_amenities controller. The flaw allows the execution of arbitrary database commands, potentially exposing sensitive data or altering database contents. The impact is limited to the database accessible by the application, but the gains could include full compromise of the hosting system if further exploitation is carried out.

Affected Systems

The affected product is itsourcecode Online Hotel Management System, version 1.0. No other vendors, products, or versions were listed in the CNA data.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity level. EPSS information is not available, so the exact likelihood of exploitation cannot be quantified. The vulnerability is publicly exploited, confirming that attackers possess ready-to-use code. Attackers can trigger the flaw remotely via the amen_id parameter, meaning any host that can reach the web interface is a potential target. The vulnerability is not listed in CISA’s KEV catalog at present.

Generated by OpenCVE AI on June 29, 2026 at 11:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Online Hotel Management System to the latest release that contains the fix for the amen_id SQL injection flaw.
  • If an update is unavailable, immediately restrict administrative access to the /admin/mod_amenities endpoint to a known set of IP addresses or secure the area with firewall rules.
  • Apply input validation to ensure that amen_id contains only numeric values, and refactor database queries to use parameterized statements instead of direct string concatenation.

Generated by OpenCVE AI on June 29, 2026 at 11:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 29 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in itsourcecode Online Hotel Management System 1.0. This impacts an unknown function of the file /admin/mod_amenities/controller.php?action=edit. Performing a manipulation of the argument amen_id results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title itsourcecode Online Hotel Management System controller.php edit sql injection
First Time appeared Itsourcecode
Itsourcecode online Hotel Management System
Weaknesses CWE-74
CWE-89
CPEs cpe:2.3:a:itsourcecode:online_hotel_management_system:*:*:*:*:*:*:*:*
Vendors & Products Itsourcecode
Itsourcecode online Hotel Management System
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Itsourcecode Online Hotel Management System
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-29T08:45:08.956Z

Reserved: 2026-06-28T16:02:28.801Z

Link: CVE-2026-13552

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T11:30:05Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')