CVE-2026-11342
Description
SQL injection in Hotel and Tourism Reservation System 1.0 allows unauthenticated remote attackers to manipulate database queries via GET or POST parameters.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Hotel and Tourism Reservation System 1.0 allows unauthenticated remote attackers to manipulate database queries via GET or POST parameters.
Vulnerability
Code-projects Hotel and Tourism Reservation System 1.0 contains multiple SQL injection vulnerabilities in the details.php file. A GET-based injection exists in the $_GET['room'] parameter (lines 9-10), which is directly concatenated into a SELECT query and reused in subsequent UPDATE and SELECT statements. A POST-based injection exists in the reservation form parameters $_POST['fullname'], $_POST['in_date'], $_POST['out_date'], $_POST['phone'], $_POST['people'], and $_POST['email'] (line 33), which are directly concatenated into an INSERT query. These vulnerabilities affect version 1.0 [1].
Exploitation
An unauthenticated remote attacker can exploit these vulnerabilities without needing a login session. For the GET-based injection, the attacker crafts a malicious URL with a specially designed room parameter. For the POST-based injection, the attacker sends a crafted POST request to the reservation form, bypassing the frontend validation. In both cases, the injected SQL commands are executed by the database [1].
Impact
Successful exploitation allows an attacker to inject arbitrary SQL commands, potentially leading to the extraction of sensitive data from the database via error-based or blind SQL techniques, or the modification of data within the reservations table. The scope of the compromise is limited to the database accessible by the web application [1].
Mitigation
No patched version or specific mitigation details are available in the provided references. The vulnerability has been publicly disclosed and may be actively exploited [1]. Information regarding end-of-life status or inclusion in any known exploited vulnerabilities (KEV) list is not yet disclosed.
AI Insight generated on Jun 5, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3(expand)+ 1 more
- (no CPE)
- (no CPE)
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application directly concatenates user-supplied input into SQL queries without proper sanitization or parameterization."
Attack vector
An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted HTTP GET or POST requests to the `details.php` file. For GET requests, manipulation of the `room` parameter allows for SQL injection. For POST requests, parameters within the reservation form, such as `fullname`, `in_date`, and `email`, can be manipulated to inject malicious SQL commands [ref_id=1]. The attack can be launched remotely as no authentication is required [ref_id=1].
Affected code
The vulnerability exists in the `details.php` file of the Hotel And Tourism Reservation System. Specifically, the code concatenates the `$_GET['room']` parameter directly into a SELECT query on lines 9-10. This parameter is also reused in subsequent UPDATE and SELECT queries on lines 39 and 45. Furthermore, POST parameters from the reservation form, including `fullname`, `in_date`, `out_date`, `phone`, `people`, and `email`, are directly concatenated into an INSERT query on line 33 [ref_id=1].
What the fix does
The advisory recommends using `intval()` to cast the `room` parameter to an integer and employing prepared statements for all SQL queries to prevent SQL injection. Specifically, it suggests using `mysqli_real_escape_string()` or parameterized queries to sanitize user inputs before they are included in SQL statements. Additionally, disabling direct error output in production environments is advised to prevent the leakage of sensitive database information [ref_id=1].
Preconditions
- networkThe target application must be accessible over the network.
- authNo authentication is required to exploit the vulnerability.
Reproduction
1. Manual Column Count Detection (ORDER BY): Navigate to `http://[target]/details.php?room=1' ORDER BY 7--`. The page renders normally, but fails with `ORDER BY 8--`, confirming 7 columns. 2. UNION-based SQL Injection: Inject a UNION SELECT query such as `http://[target]/details.php?room=1' UNION SELECT 1,2,3,4,5,6,7--` to confirm injection. 3. Database Fingerprinting: Extract database name and user with `http://[target]/details.php?room=1' UNION SELECT 1,database(),user(),4,5,6,7--`. 4. Automated Exploitation: Use sqlmap with `sqlmap -u "http://[target]/details.php?room=1" --batch -D ht --tables` to dump table names [ref_id=1].
Generated on Jun 5, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.