Source: hoteldruid
Version: 3.0.6-1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc:
[email protected], Debian Security Team <
[email protected]>
Hi,
The following vulnerability was published for hoteldruid.
CVE-2025-44203[0]:
| In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose
| SQL error messages on creadb.php before the 'create database' button
| is pressed. By sending malformed POST requests to this endpoint, the
| attacker may obtain the administrator username, password hash, and
| salt. In some cases, the attack results in a Denial of Service
| (DoS), preventing the administrator from logging in even with the
| correct credentials.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0]
https://security-tracker.debian.org/tracker/CVE-2025-44203
https://www.cve.org/CVERecord?id=CVE-2025-44203
[1]
https://github.com/IvanT7D3/CVE-2025-44203
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)