Vulnerabilities > Digitaldruid > Hoteldruid
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-09-16 | CVE-2021-42949 | Improper Authentication vulnerability in Digitaldruid Hoteldruid 3.0.3 The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks. | 9.8 |
| 2022-04-26 | CVE-2022-26564 | Cross-site Scripting vulnerability in Digitaldruid Hoteldruid 3.0.3 HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. | 4.3 |
| 2022-03-03 | CVE-2022-22909 | Code Injection vulnerability in Digitaldruid Hoteldruid 3.0.3 HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module. | 6.5 |
| 2021-08-26 | CVE-2021-38559 | Cross-site Scripting vulnerability in Digitaldruid Hoteldruid 3.0.2 DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter. | 4.3 |
| 2021-08-03 | CVE-2021-37832 | SQL Injection vulnerability in Digitaldruid Hoteldruid 3.0.2 A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. | 7.5 |
| 2021-08-03 | CVE-2021-37833 | Cross-site Scripting vulnerability in Digitaldruid Hoteldruid 3.0.2 A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands. | 4.3 |
| 2019-06-24 | CVE-2019-9085 | Improper Input Validation vulnerability in Digitaldruid Hoteldruid Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php. | 4.0 |
| 2019-06-07 | CVE-2019-9087 | SQL Injection vulnerability in Digitaldruid Hoteldruid HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. | 7.5 |
| 2019-06-07 | CVE-2019-9086 | SQL Injection vulnerability in Digitaldruid Hoteldruid HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. | 7.5 |
| 2019-06-07 | CVE-2019-9084 | Divide By Zero vulnerability in Digitaldruid Hoteldruid In Hoteldruid before 2.3.1, a division by zero was discovered in $num_tabelle in tab_tariffe.php (aka the numtariffa1 parameter) due to the mishandling of non-numeric values, as demonstrated by the /tab_tariffe.php?anno=[YEAR]&numtariffa1=1a URI. | 4.0 |