Metamorfosec Security Advisory METS-2019-007 A SQL Injection in HotelDruid before v2.3.1 FIRST PUBLISHED: June 6, 2019 VERSION: 1.0 VENDOR: DigitalDruid.Net PRODUCT: Hoteldruid VERSION AFFECTED: 2.3.0 (maybe prior versions are also affected) CVE-ID: CVE-2019-9086 PRODUCT DESCRIPTION: (from Official Website: http://www.hoteldruid.com) Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net. Thanks to the great flexibility of its web interface it can satisfy a wide range of demands, from those of bed & breakfasts or vacation houses with few apartments to those of hotels with hundreds of rooms. FINDING: HotelDruid before v2.3.1 has SQL Injection via the /visualizza_tabelle.php anno parameter. PROOF OF CONCEPT: http://[DOMAIN_NAME]/hoteldruid_2.3.0/hoteldruid/visualizza_tabelle.php?anno=[YEAR]'&tipo_tabella=prenotazioni&sel_tab_prenota=correnti&opz_cerc_pren=arr MITIGATION: Update to v2.3.1 or newer ADVISORY TIMELINE: Jan 21, 2019 - Vulnerability found Jan 24, 2019 - First contact to vendor and got responses Feb 21, 2019 - Vendor released v2.3.1. Requested CVE-ID Feb 25, 2019 - Got CVE-2019-9086 (still reserved) June 6, 2019 - Released METS-2019-007 v1.0 and requested to publish CVE-2019-9086 REVISION HISTORY: Version 1.0 (June 6, 2019) - First release REFERENCES: http://www.hoteldruid.com/en/download.html https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9086 DISCLAIMER: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the our website.