CVE-2025-44203

Published: Jun 20, 2025Modified: Jun 26, 2025

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may obtain the administrator username, password hash, and salt. In some cases, the attack results in a Denial of Service (DoS), preventing the administrator from logging in even with the correct credentials.

Affected (2)

Products: Digitaldruid: Hoteldruid

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Digitaldruid Hoteldruid	Version 3.0.0
Digitaldruid Hoteldruid	Version 3.0.7

Related CWEs

Generation of Error Message Containing Sensitive Information

The product generates an error message that includes sensitive information about its environment, users, or associated data.

Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

References (3)

https://github.com/IvanT7D3/CVE-2025-44203/tree/main

Source: cve@mitre.org

Third Party Advisory

https://www.hoteldruid.com/

Source: cve@mitre.org

Product

https://github.com/IvanT7D3/CVE-2025-44203/tree/main

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

Third Party Advisory

Timeline

No history available yet.