CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23091
https://notcve.org/view.php?id=CVE-2024-23091
30 Jul 2024 — Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values. • https://medium.com/%40cnetsec/security-advisory-cve-2024-23091-weak-password-hashing-using-md5-f18a6fe3a473 •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47164
https://notcve.org/view.php?id=CVE-2023-47164
10 Nov 2023 — Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. Una vulnerabilidad de Cross-site scripting en HOTELDRUID 3.0.5 y versiones anteriores permite que un atacante remoto no autenticado ejecute un script arbitrario en el navegador web del usuario que inicia sesión en el producto. • https://jvn.jp/en/jp/JVN99177549 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43371
https://notcve.org/view.php?id=CVE-2023-43371
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro numcaselle en /hoteldruid/creaprezzi.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-numcaselle-parameter-e1e3d6938a464a8db1ca18ee66b7e66e?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-43374
https://notcve.org/view.php?id=CVE-2023-43374
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro id_utente_log en /hoteldruid/personalizza.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-id_utente_log-parameter-8b89f014004947e7bd2ecdacf1610cf9?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-43373
https://notcve.org/view.php?id=CVE-2023-43373
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro n_utente_agg en /hoteldruid/interconnessioni.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-n_utente_agg-parameter-948a6d724b5348f3867ee6d780f98f1a?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43377
https://notcve.org/view.php?id=CVE-2023-43377
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/visualizza_contratto.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el parámetro destinatario_email1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-destinatario_email1-post-parameter-0ac6596d5b534dd1b2a49987ad065d1c?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43375
https://notcve.org/view.php?id=CVE-2023-43375
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. Se descubrió que Hoteldruid v3.0.5 contiene múltiples vulnerabilidades de inyección SQL en /hoteldruid/clienti.php a través de los parámetros annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita y mesescaddoc. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-multiple-post-parameter-ddbd9a9011744ed2b8fc995bbc9de56d?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43376
https://notcve.org/view.php?id=CVE-2023-43376
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/clienti.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scrips web o HTML de su elección a través de un payload manipulado inyectada en el parámetro nometiporiffa1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-nometipotariffa1-post-parameter-703fde27462c43a1aaa1097fb3416cdc?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33817
https://notcve.org/view.php?id=CVE-2023-33817
13 Jun 2023 — hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability. • https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34537
https://notcve.org/view.php?id=CVE-2023-34537
13 Jun 2023 — A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data. • https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •