Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (mitre).
CVSS VectorVendor: mitre
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may obtain the administrator username, password hash, and salt. In some cases, the attack results in a Denial of Service (DoS), preventing the administrator from logging in even with the correct credentials.
AnalysisAI
CVE-2025-44203 is a critical information disclosure vulnerability in HotelDruid 3.0.7 that allows unauthenticated attackers to extract sensitive database credentials (administrator username, password hash, and salt) through verbose SQL error messages on the creadb.php endpoint. The vulnerability can also cause denial of service conditions that lock administrators out of the system. With a CVSS score of 7.5 and no authentication required, this poses an immediate threat to unpatched HotelDruid installations.
Technical ContextAI
HotelDruid is a web-based hotel management system written in PHP. The vulnerability exists in the creadb.php script, which handles database creation during initial setup. The root cause is CWE-209 (Information Exposure Through an Error Message), where the application returns detailed SQL error messages containing sensitive information to unauthenticated users. The creadb.php endpoint lacks proper input validation and does not sanitize or suppress error messages before the 'create database' button is pressed, allowing attackers to craft malformed POST requests that trigger verbose database errors. These errors expose the database configuration, including the administrator username, password hash, and cryptographic salt—information typically protected behind authentication and authorization controls. Additionally, the error conditions can corrupt database state, resulting in denial of service.
RemediationAI
Immediate remediation steps: (1) Upgrade HotelDruid to a patched version released after this CVE disclosure (patch version number not provided in CVE description; consult hoteldruid.org or vendor GitHub for the latest release), (2) If upgrade is not immediately possible, delete or rename the creadb.php file after successful database initialization to remove the vulnerable endpoint, (3) Implement network-level access controls to restrict access to creadb.php to trusted IP addresses only, (4) Deploy a Web Application Firewall (WAF) rule to block POST requests to creadb.php with malformed parameters, (5) If credentials have been exposed, immediately change the administrator password and database credentials, (6) Audit database logs and access patterns for signs of exploitation. Long-term mitigation: (1) ensure proper error handling in PHP applications by suppressing verbose error messages in production and logging errors securely server-side, (2) implement input validation on all user-facing endpoints, (3) restrict access to initialization scripts after deployment.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-209 – Error Message Information Leak
View allSame technique Denial Of Service
View allVendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
Bug #1108154| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 3.0.1-1 | - |
| bookworm | vulnerable | 3.0.4-1 | - |
| sid | fixed | 3.0.8-1 | - |
| (unstable) | fixed | 3.0.8-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-18763