Filtered by vendor Digitaldruid Subscriptions
Filtered by product Hoteldruid Subscriptions
Total 23 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2024-23091 1 Digitaldruid 1 Hoteldruid 2024-11-21 7.5 High
Weak password hashing using MD5 in funzioni.php in HotelDruid before 1.32 allows an attacker to obtain plaintext passwords from hash values.
CVE-2023-47164 1 Digitaldruid 1 Hoteldruid 2024-11-21 6.1 Medium
Cross-site scripting vulnerability in HOTELDRUID 3.0.5 and earlier allows a remote unauthenticated attacker to execute an arbitrary script on the web browser of the user who is logging in to the product.
CVE-2023-43377 1 Digitaldruid 1 Hoteldruid 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in /hoteldruid/visualizza_contratto.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the destinatario_email1 parameter.
CVE-2023-43376 1 Digitaldruid 1 Hoteldruid 2024-11-21 5.4 Medium
A cross-site scripting (XSS) vulnerability in /hoteldruid/clienti.php of Hoteldruid v3.0.5 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the nometipotariffa1 parameter.
CVE-2023-43375 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain multiple SQL injection vulnerabilities at /hoteldruid/clienti.php via the annonascita, annoscaddoc, giornonascita, giornoscaddoc, lingua_cli, mesenascita, and mesescaddoc parameters.
CVE-2023-43374 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the id_utente_log parameter at /hoteldruid/personalizza.php.
CVE-2023-43373 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.
CVE-2023-43371 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.
CVE-2023-34537 1 Digitaldruid 1 Hoteldruid 2024-11-21 5.4 Medium
A Reflected XSS was discovered in HotelDruid version 3.0.5, an attacker can issue malicious code/command on affected webpage's parameter to trick user on browser and/or exfiltrate data.
CVE-2023-33817 1 Digitaldruid 1 Hoteldruid 2024-11-21 8.8 High
hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability.
CVE-2022-26564 1 Digitaldruid 1 Hoteldruid 2024-11-21 6.1 Medium
HotelDruid Hotel Management Software v3.0.3 contains a cross-site scripting (XSS) vulnerability via the prezzoperiodo4 parameter in creaprezzi.php.
CVE-2022-22909 1 Digitaldruid 1 Hoteldruid 2024-11-21 8.8 High
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.
CVE-2021-42949 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
The component controlla_login function in HotelDruid Hotel Management Software v3.0.3 generates a predictable session token, allowing attackers to bypass authentication via bruteforce attacks.
CVE-2021-42948 1 Digitaldruid 1 Hoteldruid 2024-11-21 3.7 Low
HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.
CVE-2021-38559 1 Digitaldruid 1 Hoteldruid 2024-11-21 6.1 Medium
DigitalDruid HotelDruid 3.0.2 has an XSS vulnerability in prenota.php affecting the fineperiodo1 parameter.
CVE-2021-37833 1 Digitaldruid 1 Hoteldruid 2024-11-21 6.1 Medium
A reflected cross-site scripting (XSS) vulnerability exists in multiple pages in version 3.0.2 of the Hotel Druid application that allows for arbitrary execution of JavaScript commands.
CVE-2021-37832 1 Digitaldruid 1 Hoteldruid 2024-11-21 9.8 Critical
A SQL injection vulnerability exists in version 3.0.2 of Hotel Druid when SQLite is being used as the application database. A malicious attacker can issue SQL commands to the SQLite database through the vulnerable idappartamenti parameter.
CVE-2019-9087 1 Digitaldruid 1 Hoteldruid 2024-11-21 N/A
HotelDruid before v2.3.1 has SQL Injection via the /tab_tariffe.php numtariffa1 parameter.
CVE-2019-9086 1 Digitaldruid 1 Hoteldruid 2024-11-21 N/A
HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter.
CVE-2019-9085 1 Digitaldruid 1 Hoteldruid 2024-11-21 N/A
Hoteldruid before v2.3.1 allows remote authenticated users to cause a denial of service (invoice-creation outage) via the n_file parameter to visualizza_contratto.php with invalid arguments (any non-numeric value), as demonstrated by the anno=2019&id_transazione=1&numero_contratto=1&n_file=a query string to visualizza_contratto.php.