Lucene search

Hoteldruid Security Vulnerabilities

cve

CVE-2018-1000871

HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can result in An attacker can dump all the database records of backend webserver. This attack appear to be exploitable via the attack can be don...

9.8CVSS

9.7AI Score

0.003EPSS

2018-12-20 05:29 PM

cve

CVE-2019-8937

HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php.

6.1CVSS

5.8AI Score

0.005EPSS

2019-05-17 03:29 PM

cve

CVE-2019-9084

In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a URI. It could allow an administrator to conduct remote de...

4.9CVSS

5AI Score

0.001EPSS

2019-06-07 09:29 PM

161

cve

CVE-2019-9085

Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query ...

6.5CVSS

6.1AI Score

0.002EPSS

2019-06-24 06:15 PM

cve

CVE-2019-9086

HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.

9.8CVSS

9.9AI Score

0.002EPSS

2019-06-07 09:29 PM

204

cve

CVE-2019-9087

HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.

9.8CVSS

9.9AI Score

0.002EPSS

2019-06-07 09:29 PM

173

cve

CVE-2021-37832

A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.

9.8CVSS

9.7AI Score

0.002EPSS

2021-08-03 01:15 PM

cve

CVE-2021-37833

A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands.

6.1CVSS

6AI Score

0.003EPSS

2021-08-03 01:15 PM

cve

CVE-2021-38559

DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter.

6.1CVSS

5.9AI Score

0.001EPSS

2021-08-26 01:15 PM

cve

CVE-2021-42948

HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.

3.7CVSS

4.4AI Score

0.001EPSS

2022-09-16 04:15 PM

cve

CVE-2021-42949

The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.

9.8CVSS

9.5AI Score

0.003EPSS

2022-09-16 03:15 PM

cve

CVE-2022-22909

HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.

8.8CVSS

8.8AI Score

0.017EPSS

2022-03-03 12:15 AM

cve

CVE-2022-26564

HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php.

6.1CVSS

5.9AI Score

0.001EPSS

2022-04-26 11:15 PM

cve

CVE-2023-33817

hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.

8.8CVSS

9AI Score

0.001EPSS

2023-06-13 09:15 PM

114

cve

CVE-2023-34537

A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.

5.4CVSS

5.1AI Score

0.001EPSS

2023-06-13 09:15 PM

cve

CVE-2023-43371

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.

9.8CVSS

9.8AI Score

0.001EPSS

2023-09-20 07:15 PM

cve

CVE-2023-43373

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.

9.8CVSS

9.8AI Score

0.001EPSS

2023-09-20 07:15 PM

cve

CVE-2023-43374

Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.

9.8CVSS

9.8AI Score

0.009EPSS

2023-09-20 07:15 PM

cve

CVE-2023-43375

Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.

9.8CVSS

10AI Score

0.001EPSS

2023-09-20 07:15 PM

cve

CVE-2023-43376

A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter.

5.4CVSS

5.2AI Score

0.001EPSS

2023-09-20 07:15 PM

cve

CVE-2023-43377

A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter.

5.4CVSS

5.2AI Score

0.001EPSS

2023-09-20 07:15 PM

cve

CVE-2023-47164

Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.

6.1CVSS

6.3AI Score

0.001EPSS

2023-11-10 09:15 AM

cve

CVE-2024-23091

Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values.

7.5CVSS

6.7AI Score

0.001EPSS

2024-07-30 02:15 PM