This vulnerability resides in the SourceCodester Simple Responsive Tourism Website version 1.0 and is triggered by manipulating the Username parameter in the login function at /tourism/classes/Login.php?f=login. The flaw allows an attacker to inject arbitrary SQL, which can lead to unauthorized database access, data modification, or potential data exfiltration. The entry states that the exploit can be launched remotely and has been publicly disclosed, meaning attackers could target vulnerable installations without physical proximity. Consequently, the application may expose sensitive user data or compromise the integrity of the underlying database.

The affected product is SourceCodester Simple Responsive Tourism Website, version 1.0, supplied by SourceCodester. No further sub‑products or service versions are identified. Only this single version is known to contain the vulnerability.

The CVSS score of 6.9 indicates medium severity, while the EPSS score of less than 1% suggests a very low probability of exploitation in the near term, and the vulnerability is currently not listed in the CISA KEV database. The attack vector is inferred to be remote, as the description explicitly allows exploitation from external hosts via the web interface. Attackers would need valid network connectivity to the target and would benefit from knowledge of the login URL path; once the injection succeeds, they could gain read or modify access to database contents. Given the modest severity and low exploitation probability, the risk to an organization depends largely on the sensitivity of the stored data and the overall exposure of the application to the internet.