CVE-2023-43371 in Hoteldruid
Summary
by MITRE • 09/20/2023
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the numcaselle parameter at /hoteldruid/creaprezzi.php.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/06/2026
The vulnerability identified as CVE-2023-43371 affects Hoteldruid version 3.0.5 and represents a critical SQL injection flaw that can be exploited through the numcaselle parameter within the creaprezzi.php script. This type of vulnerability falls under the CWE-89 category, which specifically addresses SQL injection attacks where untrusted data is incorporated into SQL commands without proper sanitization or parameterization. The affected application appears to be a hotel management system that handles pricing configurations through the creaprezzi.php endpoint, making this a particularly concerning issue for hospitality industry applications that manage sensitive financial data.
The technical exploitation of this vulnerability occurs when an attacker manipulates the numcaselle parameter to inject malicious SQL code into the database query execution process. This parameter is likely used to determine the number of price categories or booking scenarios within the hotel pricing system. When the application fails to properly validate or sanitize user input from this parameter, an attacker can construct SQL commands that bypass authentication, extract sensitive data, modify database records, or even execute arbitrary commands on the underlying database server. The vulnerability's impact is amplified by the fact that it resides in a pricing configuration endpoint, which typically requires elevated privileges and contains critical business data.
Operationally, this SQL injection vulnerability poses significant risks to hotel management systems that rely on Hoteldruid for their business operations. Attackers could potentially access guest reservation data, pricing structures, financial records, and other sensitive information stored within the database. The exploitation of this vulnerability may lead to unauthorized financial transactions, data breaches, service disruption, and compliance violations under regulations such as gdpr and pci dss. The attack surface is particularly concerning given that hotel management systems often contain personally identifiable information, payment card data, and business-critical operational data that would be valuable to cybercriminals.
Security mitigations for CVE-2023-43371 should focus on implementing proper input validation and parameterized queries to prevent SQL injection attacks. The recommended approach involves sanitizing all user inputs through whitelisting mechanisms or using prepared statements with parameterized queries to ensure that user-supplied data cannot alter the intended SQL command structure. Organizations should also implement web application firewalls and input validation rules to detect and block malicious payloads targeting this specific parameter. Additionally, regular security assessments and vulnerability scanning should be conducted to identify similar issues within the application codebase. The remediation process should include updating to the latest version of Hoteldruid where this vulnerability has been patched, along with comprehensive security testing to ensure that no other injection points exist within the application. This vulnerability aligns with tactics described in the attack pattern catalog under the sql injection category and represents a common weakness that affects numerous web applications in the hospitality and business management sectors.