CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2025-44203
https://notcve.org/view.php?id=CVE-2025-44203
20 Jun 2025 — In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may obtain the administrator username, password hash, and salt. In some cases, the attack results in a Denial of Service (DoS), preventing the administrator from logging in even with the correct credentials. • https://github.com/IvanT7D3/CVE-2025-44203 • CWE-209: Generation of Error Message Containing Sensitive Information CWE-400: Uncontrolled Resource Consumption •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23091
https://notcve.org/view.php?id=CVE-2024-23091
30 Jul 2024 — Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values. • https://medium.com/%40cnetsec/security-advisory-cve-2024-23091-weak-password-hashing-using-md5-f18a6fe3a473 • CWE-916: Use of Password Hash With Insufficient Computational Effort •
CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47164
https://notcve.org/view.php?id=CVE-2023-47164
10 Nov 2023 — Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. Una vulnerabilidad de Cross-site scripting en HOTELDRUID 3.0.5 y versiones anteriores permite que un atacante remoto no autenticado ejecute un script arbitrario en el navegador web del usuario que inicia sesión en el producto. • https://jvn.jp/en/jp/JVN99177549 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 20%CPEs: 1EXPL: 1CVE-2023-43374
https://notcve.org/view.php?id=CVE-2023-43374
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro id_utente_log en /hoteldruid/personalizza.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-id_utente_log-parameter-8b89f014004947e7bd2ecdacf1610cf9?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43375
https://notcve.org/view.php?id=CVE-2023-43375
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. Se descubrió que Hoteldruid v3.0.5 contiene múltiples vulnerabilidades de inyección SQL en /hoteldruid/clienti.php a través de los parámetros annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita y mesescaddoc. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-multiple-post-parameter-ddbd9a9011744ed2b8fc995bbc9de56d?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43376
https://notcve.org/view.php?id=CVE-2023-43376
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/clienti.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scrips web o HTML de su elección a través de un payload manipulado inyectada en el parámetro nometiporiffa1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-nometipotariffa1-post-parameter-703fde27462c43a1aaa1097fb3416cdc?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43371
https://notcve.org/view.php?id=CVE-2023-43371
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro numcaselle en /hoteldruid/creaprezzi.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-numcaselle-parameter-e1e3d6938a464a8db1ca18ee66b7e66e?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 20%CPEs: 1EXPL: 1CVE-2023-43373
https://notcve.org/view.php?id=CVE-2023-43373
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro n_utente_agg en /hoteldruid/interconnessioni.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-n_utente_agg-parameter-948a6d724b5348f3867ee6d780f98f1a?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43377
https://notcve.org/view.php?id=CVE-2023-43377
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/visualizza_contratto.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el parámetro destinatario_email1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-destinatario_email1-post-parameter-0ac6596d5b534dd1b2a49987ad065d1c?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.0EPSS: 12%CPEs: 1EXPL: 1CVE-2023-33817
https://notcve.org/view.php?id=CVE-2023-33817
13 Jun 2023 — hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability. • https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •