Total
21 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-43377 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter. | |||||
| CVE-2023-43376 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 5.4 MEDIUM |
| A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter. | |||||
| CVE-2023-43375 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 9.8 CRITICAL |
| Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters. | |||||
| CVE-2023-43374 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 9.8 CRITICAL |
| Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. | |||||
| CVE-2023-43373 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 9.8 CRITICAL |
| Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. | |||||
| CVE-2023-43371 | 1 Digitaldruid | 1 Hoteldruid | 2024-09-25 | N/A | 9.8 CRITICAL |
| Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. | |||||
| CVE-2024-23091 | 1 Digitaldruid | 1 Hoteldruid | 2024-08-23 | N/A | 7.5 HIGH |
| Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values. | |||||
| CVE-2023-33817 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | N/A | 8.8 HIGH |
| hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability. | |||||
| CVE-2021-42949 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | N/A | 9.8 CRITICAL |
| The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks. | |||||
| CVE-2021-42948 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | N/A | 3.7 LOW |
| HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's. | |||||
| CVE-2022-26564 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. | |||||
| CVE-2022-22909 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 6.5 MEDIUM | 8.8 HIGH |
| HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module. | |||||
| CVE-2021-38559 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter. | |||||
| CVE-2021-37833 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands. | |||||
| CVE-2021-37832 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter. | |||||
| CVE-2019-9087 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. | |||||
| CVE-2019-9085 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.0 MEDIUM | 6.5 MEDIUM |
| Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php. | |||||
| CVE-2019-9084 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.0 MEDIUM | 4.9 MEDIUM |
| In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a URI. It could allow an administrator to conduct remote denial of service (disrupting certain business functions of the product). | |||||
| CVE-2019-8937 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 4.3 MEDIUM | 6.1 MEDIUM |
| HotelDruid 2.3.0 has XSS affecting the nsextt, cambia1, mese_fine, origine, and anno parameters in creaprezzi.php, tabella3.php, personalizza.php, and visualizza_tabelle.php. | |||||
| CVE-2019-9086 | 1 Digitaldruid | 1 Hoteldruid | 2024-02-04 | 7.5 HIGH | 9.8 CRITICAL |
| HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. | |||||