EUVD-2025-18763
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionNVD
In HotelDruid 3.0.7, an unauthenticated attacker can exploit verbose SQL error messages on creadb.php before the 'create database' button is pressed. By sending malformed POST requests to this endpoint, the attacker may obtain the administrator username, password hash, and salt. In some cases, the attack results in a Denial of Service (DoS), preventing the administrator from logging in even with the correct credentials.
AnalysisAI
CVE-2025-44203 is a critical information disclosure vulnerability in HotelDruid 3.0.7 that allows unauthenticated attackers to extract sensitive database credentials (administrator username, password hash, and salt) through verbose SQL error messages on the creadb.php endpoint. The vulnerability can also cause denial of service conditions that lock administrators out of the system. With a CVSS score of 7.5 and no authentication required, this poses an immediate threat to unpatched HotelDruid installations.
Technical ContextAI
HotelDruid is a web-based hotel management system written in PHP. The vulnerability exists in the creadb.php script, which handles database creation during initial setup. The root cause is CWE-209 (Information Exposure Through an Error Message), where the application returns detailed SQL error messages containing sensitive information to unauthenticated users. The creadb.php endpoint lacks proper input validation and does not sanitize or suppress error messages before the 'create database' button is pressed, allowing attackers to craft malformed POST requests that trigger verbose database errors. These errors expose the database configuration, including the administrator username, password hash, and cryptographic salt—information typically protected behind authentication and authorization controls. Additionally, the error conditions can corrupt database state, resulting in denial of service.
RemediationAI
Immediate remediation steps: (1) Upgrade HotelDruid to a patched version released after this CVE disclosure (patch version number not provided in CVE description; consult hoteldruid.org or vendor GitHub for the latest release), (2) If upgrade is not immediately possible, delete or rename the creadb.php file after successful database initialization to remove the vulnerable endpoint, (3) Implement network-level access controls to restrict access to creadb.php to trusted IP addresses only, (4) Deploy a Web Application Firewall (WAF) rule to block POST requests to creadb.php with malformed parameters, (5) If credentials have been exposed, immediately change the administrator password and database credentials, (6) Audit database logs and access patterns for signs of exploitation. Long-term mitigation: (1) ensure proper error handling in PHP applications by suppressing verbose error messages in production and logging errors securely server-side, (2) implement input validation on all user-facing endpoints, (3) restrict access to initialization scripts after deployment.
Vendor StatusVendor
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | needs-triage | - |
| bionic | needs-triage | - |
| focal | needs-triage | - |
| jammy | needs-triage | - |
| noble | needs-triage | - |
| upstream | needs-triage | - |
| oracular | ignored | end of life, was needs-triage |
| questing | needs-triage | - |
| plucky | ignored | end of life, was needs-triage |
Debian
Bug #1108154| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 3.0.1-1 | - |
| bookworm | vulnerable | 3.0.4-1 | - |
| sid | fixed | 3.0.8-1 | - |
| (unstable) | fixed | 3.0.8-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today