Digitaldruid Hoteldruid
30 CVEs affecting Digitaldruid Hoteldruid. Latest disclosed: 2025-12-11. Critical: 9, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2023-43375 | Critical | 9.8 | 2023-09-20 | Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita… |
CVE-2023-43374 | Critical | 9.8 | 2023-09-20 | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php. |
CVE-2023-43373 | Critical | 9.8 | 2023-09-20 | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php. |
CVE-2023-43371 | Critical | 9.8 | 2023-09-20 | Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php. |
CVE-2021-42949 | Critical | 9.8 | 2022-09-16 | The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authe… |
CVE-2021-37832 | Critical | 9.8 | 2021-08-03 | A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL… |
CVE-2019-9087 | Critical | 9.8 | 2019-06-07 | HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter. |
CVE-2019-9086 | Critical | 9.8 | 2019-06-07 | HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. |
CVE-2018-1000871 | Critical | 9.8 | 2018-12-20 | HotelDruid HotelDruid 2.3.0 version 2.3.0 and earlier contains a SQL Injection vulnerability in "id_utente_mod" parameter in gestione_utenti.php file that can… |
CVE-2023-33817 | High | 8.8 | 2023-06-13 | hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability. |
CVE-2022-22909 | High | 8.8 | 2022-03-03 | HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the… |
CVE-2025-44203 | High | 7.5 | 2025-06-20 | In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sendin… |
CVE-2024-23091 | High | 7.5 | 2024-07-30 | Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values. |
CVE-2025-25748 | High | 7.3 | 2025-03-11 | A CSRF vulnerability in the gestione_utenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords)… |
CVE-2025-25749 | High | 7.1 | 2025-03-11 | An issue in HotelDruid version 3.0.7 and earlier allows users to set weak passwords due to the lack of enforcement of password strength policies. |
CVE-2019-9085 | Medium | 6.5 | 2019-06-24 | Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contra… |
CVE-2025-55816 | Medium | 6.1 | 2025-12-11 | HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file. |
CVE-2023-43378 | Medium | 6.1 | 2025-04-22 | A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into t… |
CVE-2023-47164 | Medium | 6.1 | 2023-11-10 | Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser o… |
CVE-2022-26564 | Medium | 6.1 | 2022-04-26 | HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php. |