Hoteldruid

hoteldruid

Vendor: Digitaldruid • 30 CVEs

CVEs (30)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-55816 1Digitaldruid 1Hoteldruid Dec 15, 2025 Dec 11, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file.
CVE-2025-44203 1Digitaldruid 1Hoteldruid Jun 26, 2025 Jun 20, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may...Show more In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may obtain the administrator username, password hash, and salt. In some cases, the attack results in a Denial of Service (DoS), preventing the administrator from logging in even with the correct credentials.Show less
CVE-2023-43378 1Digitaldruid 1Hoteldruid Jun 23, 2025 Apr 22, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the commento1_1 parameter.
CVE-2025-25749 1Digitaldruid 1Hoteldruid Apr 7, 2025 Mar 11, 2025 N/A· v4 7.1 HIGH· v3 N/A· v2 An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies.
CVE-2025-25748 1Digitaldruid 1Hoteldruid Jan 29, 2026 Mar 11, 2025 N/A· v4 7.3 HIGH· v3 N/A· v2 A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of or...Show more A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer validation and the absence of CSRF tokens. NOTE: this is disputed because there is an id_sessione CSRF token.Show less
CVE-2025-25747 1Digitaldruid 1Hoteldruid May 28, 2025 Mar 11, 2025 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in DigitalDruid HotelDruid v.3.0.7 allows an attacker to execute arbitrary code and obtain sensitive information via the ripristina_backup parameter in the crea_backup.php endpoint
CVE-2024-23091 1Digitaldruid 1Hoteldruid Mar 18, 2025 Jul 30, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values.
CVE-2023-47164 1Digitaldruid 1Hoteldruid Nov 21, 2024 Nov 10, 2023 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.
CVE-2023-43377 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email...Show more A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter.Show less
CVE-2023-43376 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter.
CVE-2023-43375 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc param...Show more Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.Show less
CVE-2023-43374 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.
CVE-2023-43373 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.
CVE-2023-43371 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 20, 2023 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.
CVE-2023-34537 1Digitaldruid 1Hoteldruid Nov 21, 2024 Jun 13, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.
CVE-2023-33817 1Digitaldruid 1Hoteldruid Nov 21, 2024 Jun 13, 2023 N/A· v4 8.8 HIGH· v3 N/A· v2 hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
CVE-2023-29839 1Digitaldruid 1Hoteldruid Apr 7, 2025 May 3, 2023 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document...Show more A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.Show less
CVE-2021-42948 1Digitaldruid 1Hoteldruid Nov 21, 2024 Sep 16, 2022 N/A· v4 3.7 LOW· v3 N/A· v2 HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.
CVE-2021-42949 1Digitaldruid 1Hoteldruid Jun 3, 2025 Sep 16, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.
CVE-2022-26564 1Digitaldruid 1Hoteldruid Nov 21, 2024 Apr 26, 2022 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php.

12 Next