Filtered by vendor Hoteldruid Subscriptions
Filtered by product Hoteldruid Subscriptions
Total 2 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2025-44203 2 Digitaldruid, Hoteldruid 2 Hoteldruid, Hoteldruid 2026-07-09 7.5 High
In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.
CVE-2025-55816 2 Digitaldruid, Hoteldruid 2 Hoteldruid, Hoteldruid 2025-12-15 6.1 Medium
HotelDruid v3.0.7 and before is vulnerable to Cross Site Scripting (XSS) in the /modifica_app.php file.