CVSS: 6.4EPSS: 0%CPEs: 1EXPL: 0CVE-2023-47164
https://notcve.org/view.php?id=CVE-2023-47164
10 Nov 2023 — Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product. Una vulnerabilidad de Cross-site scripting en HOTELDRUID 3.0.5 y versiones anteriores permite que un atacante remoto no autenticado ejecute un script arbitrario en el navegador web del usuario que inicia sesión en el producto. • https://jvn.jp/en/jp/JVN99177549 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43371
https://notcve.org/view.php?id=CVE-2023-43371
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro numcaselle en /hoteldruid/creaprezzi.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-numcaselle-parameter-e1e3d6938a464a8db1ca18ee66b7e66e?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-43374
https://notcve.org/view.php?id=CVE-2023-43374
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro id_utente_log en /hoteldruid/personalizza.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-id_utente_log-parameter-8b89f014004947e7bd2ecdacf1610cf9?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 1%CPEs: 1EXPL: 1CVE-2023-43373
https://notcve.org/view.php?id=CVE-2023-43373
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. Se descubrió que Hoteldruid v3.0.5 contenía una vulnerabilidad de inyección SQL a través del parámetro n_utente_agg en /hoteldruid/interconnessioni.php. • https://flashy-lemonade-192.notion.site/SQL-injection-in-hoteldruid-version-3-0-5-via-n_utente_agg-parameter-948a6d724b5348f3867ee6d780f98f1a?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43377
https://notcve.org/view.php?id=CVE-2023-43377
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/visualizza_contratto.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scripts web o HTML de su elección a través de un payload manipulado inyectado en el parámetro destinatario_email1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-destinatario_email1-post-parameter-0ac6596d5b534dd1b2a49987ad065d1c?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-43375
https://notcve.org/view.php?id=CVE-2023-43375
20 Sep 2023 — Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. Se descubrió que Hoteldruid v3.0.5 contiene múltiples vulnerabilidades de inyección SQL en /hoteldruid/clienti.php a través de los parámetros annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita y mesescaddoc. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-multiple-post-parameter-ddbd9a9011744ed2b8fc995bbc9de56d?pvs=4 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-43376
https://notcve.org/view.php?id=CVE-2023-43376
20 Sep 2023 — A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. Una vulnerabilidad de Cross-Site Scripting (XSS) en /hoteldruid/clienti.php de Hoteldruid v3.0.5 permite a los atacantes ejecutar scrips web o HTML de su elección a través de un payload manipulado inyectada en el parámetro nometiporiffa1. • https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-nometipotariffa1-post-parameter-703fde27462c43a1aaa1097fb3416cdc?pvs=4 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 1CVE-2023-33817
https://notcve.org/view.php?id=CVE-2023-33817
13 Jun 2023 — hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability. • https://github.com/leekenghwa/CVE-2023-33817---SQL-Injection-found-in-HotelDruid-3.0.5 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-34537
https://notcve.org/view.php?id=CVE-2023-34537
13 Jun 2023 — A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data. • https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 3.7EPSS: 0%CPEs: 1EXPL: 1CVE-2021-42948
https://notcve.org/view.php?id=CVE-2021-42948
16 Sep 2022 — HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's. Se ha detectado que HotelDruid Hotel Management Software versiones v3.0.3 y anteriores, tenía tokens de sesión expuestos en múltiples enlaces por medio de parámetros GET, lo que permitía a atacantes acceder a identificadores de sesión de usuarios • https://github.com/dhammon/HotelDruid-CVE-2021-42948 • CWE-319: Cleartext Transmission of Sensitive Information •