CVE-2025-0229 · A vulnerability, which was classified as critical, has been found in code-projects Travel Management System 1.0.

01 · The Real Story

This is less a master key than a bent lockpick jammed into a side door

CVE-2025-0229 is an SQL injection bug in code-projects Travel Management System 1.0, specifically the public enquiry.php workflow. The referenced code concatenates $_REQUEST["pid"] and POST fields t1 through t7 directly into an INSERT statement for the enquiry table, so affected scope is effectively version 1.0 / enquiry.php in the downloadable PHP project.

The vendor's 6.3 MEDIUM is already closer to reality than NVD's 9.8, and I would still push it lower for enterprise patch triage. The big reason is friction: this is a niche sample PHP app, there is no KEV signal, the EPSS is extremely low, and the public PoC shown in the referenced GitHub write-up uses UNION SELECT against what appears to be an INSERT sink, which is a weak indicator of reliable, high-impact exploitation.

"Real bug, weak priority: niche demo app, no KEV, tiny EPSS, and the published PoC targets an INSERT sink awkwardly."

02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a live Travel Management System instance

The attacker first needs a reachable deployment of this exact Code-Projects PHP application, not just any travel site. In practice this usually means a small self-hosted LAMP/XAMPP instance running the downloadable sample project from the Code-Projects post.

Conditions required:

The organization actually runs code-projects Travel Management System 1.0
The site is reachable over the network
The enquiry.php front-end flow is exposed

Where this breaks in practice:

This looks like a hobby/demo PHP package, not a mainstream enterprise platform
Many deployments are likely lab, student, or internal-only installs rather than internet-facing production

Detection/coverage: Internet exposure scanners may fingerprint the page title or pathing, but commercial VM tooling is unlikely to have high-confidence product detection for this exact sample app.

STEP 02

Reach the enquiry submission flow with Burp or curl

The vulnerable code path only runs when the enquiry form is submitted, so the attacker needs a request that sets the submit control and supplies pid plus form fields t1-t7. A tool like Burp Repeater or curl is enough; no exploit framework is required.

Conditions required:

The public booking/enquiry feature is enabled
The attacker can submit form data to enquiry.php

Where this breaks in practice:

If the page is hidden behind reverse proxy restrictions, geo-fencing, or VPN, the attack stops here
Some instances may have broken demo code, dead database connections, or nonstandard local edits

Detection/coverage: Basic DAST can often reach this step; web logs should show repeated crafted requests to enquiry.php with quote characters or SQL metacharacters in pid or the t* parameters.

STEP 03

Exploit the SQL concatenation

The code analysis in the public write-up shows user-controlled values being concatenated directly into an SQL INSERT. That is a real injection condition, but the public PoC's UNION SELECT example is awkward because the sink is not a straightforward SELECT; reliable exploitation is more likely to require quote-breaking, error-based, or blind techniques rather than a copy-paste one-shot payload.

Conditions required:

Backend uses the vulnerable unsanitized query construction
The database driver executes the malformed query in an attacker-useful way

Where this breaks in practice:

The published PoC does not convincingly demonstrate clean data extraction from this sink
If errors are suppressed and time-based payloads are blocked or unstable, exploitation becomes noisy and slow
WAFs and mod_security-style filters often catch crude quote/UNION payloads on public PHP forms

Detection/coverage: SAST should flag string-built SQL here. DAST may flag generic SQLi, but high-confidence exploit confirmation is less certain because the sink is an INSERT, not an obvious data-returning query.

STEP 04

Convert injection into useful impact

Best-case attacker outcomes are database tampering, insertion of bogus enquiry data, or possibly blind extraction if the database behavior and response channel cooperate. What is *not* shown in the public material is a clean path to immediate RCE or mass compromise; the likely blast radius is the application database and whatever credentials that app account can reach.

Conditions required:

The DB account has meaningful read/write permissions
The application leaks enough response timing or error detail to support blind extraction

Where this breaks in practice:

No evidence in reviewed sources of chained RCE, auth bypass, or admin session takeover
A minimally privileged DB user sharply limits damage

Detection/coverage: Look for SQL syntax errors, anomalous inserts in the enquiry table, time-based request patterns, and bursts of POSTs to enquiry.php from single sources.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No confirmed in-the-wild exploitation surfaced in reviewed sources. It is not listed in CISA KEV, and I found no campaign reporting tied to this CVE.
Public PoC	Yes, but low-confidence. NVD references a public GitHub write-up by `Huandtx`; the sample payload uses `UNION SELECT` against code that appears to build an `INSERT`, so treat it as evidence of researcher access, not proof of turnkey weaponization.
EPSS	0.00097 from the user-supplied intel block, which is extremely low and consistent with low operational priority.
KEV status	No. The CVE does not appear in the CISA Known Exploited Vulnerabilities Catalog.
CVSS reality check	Vendor/CNA scoring is `CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L` = 6.3 MEDIUM. NVD later overlaid 9.8 CRITICAL with `PR:N/C:H/I:H/A:H`; the referenced code path does not justify that higher score cleanly.
Affected versions	Travel Management System 1.0; the public product page identifies the project and features including Online Package Enquiry, and the referenced vulnerable file is `enquiry.php`.
Fixed version	No authoritative patched version found in reviewed sources. This appears to be a downloadable sample app with no visible vendor security advisory or maintained release train.
Exposure / prevalence	Likely low enterprise prevalence. I found no authoritative GreyNoise/Shodan/Censys/FOFA data tied to this exact product in the reviewed sources. My inference: this is a niche PHP demo package, not a broadly managed enterprise product.
Disclosure date	2025-01-05 per NVD publication metadata and the user-supplied intel block.
Attribution	The public PoC/write-up referenced by NVD is attributed to Huandtx via GitHub; the CVE source is VulDB.

04 · The Call

noisgate verdict.

Final Verdict

↓ DOWNGRADED to LOW (3.6/10)

The decisive factor is real-world reachability and reliability, not the mere presence of SQL concatenation. This bug sits in a niche demo PHP app with no exploitation signal and a shaky public PoC, so it does not belong in the same queue as broadly deployed, cleanly weaponizable internet-edge SQLi.

HIGH The vulnerable code pattern is real

MEDIUM The published PoC is not a strong proof of reliable high-impact exploitation

HIGH Enterprise-wide patch priority should be downgraded

Why this verdict

Baseline starts at vendor 6.3 MEDIUM because the CNA vector already assumes limited impact and some privilege requirement, which is far more believable than NVD's later 9.8 overlay.
One notch back up for exposure semantics: the vulnerable feature appears to be the public enquiry workflow, so I do *not* buy the vendor's PR:L in a strict sense. If you run this app on the internet, an unauthenticated user can likely reach the sink.
Two notches down for product prevalence: this is a small downloadable PHP sample project from Code-Projects, not a mainstream enterprise platform. That sharply limits the population actually at risk across a 10,000-host estate.
Another notch down for exploit quality: the public PoC targets an INSERT sink with UNION SELECT, which is not convincing evidence of easy, repeatable data extraction. That is major friction in real operations.
Down again for threat intel: no KEV listing, no reviewed campaign reporting, and an extremely low EPSS all argue against urgent attacker demand.

Why not higher?

Because the scary part is mostly theoretical unless you already have this exact niche app exposed and the injection can be turned into a reliable blind or error-based channel. The reviewed material does not show a clean path to RCE, tenant-wide takeover, or broad enterprise blast radius.

Why not lower?

Because the code does appear to concatenate user input directly into SQL, and the vulnerable workflow is likely public-facing rather than admin-only. If you do run this exact app, an external attacker can at minimum try to tamper with database writes and potentially go further depending on database behavior.

05 · Compensating Control

What to do — in priority order.

Restrict exposure — If this sample app is not business-critical, pull it off the internet or put it behind VPN/reverse-proxy allowlisting. For a LOW verdict there is no SLA; treat as backlog hygiene, but exposure reduction is still the fastest risk cut if the app is public.
Add a WAF rule for enquiry parameters — Block or challenge SQL metacharacters and anomalous length in pid, t1-t7, and form submissions to enquiry.php. This is compensating control only, not a fix; for LOW, there is no formal mitigation SLA.
Constrain DB permissions — Ensure the application's database user has only the minimum privileges required for the enquiry workflow. If an injection attempt succeeds, least-privilege limits exfiltration and schema tampering; again, for LOW, handle this as backlog hygiene if not already standard.
Instrument logging on enquiry.php — Log request parameters safely, response codes, SQL errors, and source IPs for this endpoint so you can spot repeated payload testing. That gives you a cheap tripwire while the issue sits in the backlog.

What doesn't work

CAPTCHA alone does not solve this; it may slow bulk abuse but does nothing to neutralize SQL metacharacters in accepted requests.
Input length limits do not solve this; short payloads can still break quoting or trigger blind SQLi.
Relying on generic perimeter IDS signatures is weak here; low-volume manual probing through a normal form endpoint often blends into ordinary web traffic.

06 · Verification

Crowdsourced verification payload.

Run this on the target web server that hosts the PHP application, not from your scanner workstation. Invoke it as bash verify-cve-2025-0229.sh /var/www/html/Travel/enquiry.php; it needs only read access to the PHP source file and returns VULNERABLE, PATCHED, or UNKNOWN.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# verify-cve-2025-0229.sh
# Detects the vulnerable SQL construction pattern in Travel Management System enquiry.php
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN / usage / unreadable

set -u

TARGET="${1:-}"

if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN: usage: $0 /path/to/enquiry.php"
  exit 2
fi

if [[ ! -f "$TARGET" ]]; then
  echo "UNKNOWN: file not found: $TARGET"
  exit 2
fi

if [[ ! -r "$TARGET" ]]; then
  echo "UNKNOWN: file not readable: $TARGET"
  exit 2
fi

# Normalize whitespace to make pattern matching less brittle.
CONTENT="$(tr '\n\r\t' '   ' < "$TARGET")"

# Strong indicator: INSERT into enquiry table with direct concatenation of user-controlled pid/t1..t7
if echo "$CONTENT" | grep -Eiq 'insert[[:space:]]+into[[:space:]]+enquiry[[:space:]]*\(' \
  && echo "$CONTENT" | grep -Fq '$_REQUEST["pid"]' \
  && echo "$CONTENT" | grep -Fq '$_POST["t1"]' \
  && echo "$CONTENT" | grep -Fq 'mysqli_query($cn,$s)'; then
  echo "VULNERABLE: direct SQL string concatenation involving pid/t1..t7 found in enquiry.php"
  exit 1
fi

# If prepared statements or parameter binding appear near the query, assume likely patched.
if echo "$CONTENT" | grep -Eiq 'prepare\s*\(|bind_param\s*\(|PDO\s*::\s*prepare'; then
  echo "PATCHED: prepared statement usage detected; manual review still recommended"
  exit 0
fi

# If the file exists but the expected vulnerable markers are absent, status is uncertain.
echo "UNKNOWN: expected vulnerable pattern not found and no clear prepared statements detected"
exit 2

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning: first, identify whether this sample app exists anywhere in your estate and whether any instance is internet-facing. If you have it exposed, reduce exposure or add a temporary WAF rule as simple hygiene, but for a LOW verdict there is no mitigation SLA and noisgate remediation SLA is effectively no SLA (treat as backlog hygiene); put source-code remediation or retirement into normal backlog handling rather than burning emergency patch bandwidth. If you must keep an exposed instance, prioritize code cleanup before the next routine web-app maintenance cycle even though noisgate mitigation SLA does not force an accelerated deadline here.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.