cbcvebase.
CVE-2022-22909
published 2022-03-03

CVE-2022-22909: HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the…

PriorityP273high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
45.43%
98.6th percentile
HotelDruid v3.0.3 was discovered to contain a remote code execution (RCE) vulnerability which is exploited via an attacker inserting a crafted payload into the name field under the Create New Room module.

Affected

3 ranges
VendorProductVersion rangeFixed in
debianhoteldruid< hoteldruid 3.0.4-1 (bookworm)hoteldruid 3.0.4-1 (bookworm)
digitaldruidhoteldruid
digitaldruidhoteldruid>= 0 < 3.0.4-13.0.4-1

Detection & IOCsextracted from sources · hover to see the quote

url/inizio.php
url/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti
url/visualizza_tabelle.php
url/dati/selectappartamenti.php?cmd=id
path/dati/selectappartamenti.php
command${${system($_REQUEST['cmd'])}}
  • Monitor POST requests to /visualizza_tabelle.php where the 'n_app' (room name) field contains PHP template injection payloads such as '${...}' or system() calls.
  • Alert on GET requests to /dati/selectappartamenti.php containing a 'cmd' query parameter, which indicates active RCE exploitation of the planted webshell.
  • The exploit checks for privilege by looking for the string 'Modify' in the response from visualizza_tabelle.php; monitor for repeated unauthenticated or low-privilege probes to this endpoint.
  • Successful RCE is confirmed by the presence of 'uid=' in the HTTP response body from selectappartamenti.php, indicating command output from a Unix system() call.
  • The vulnerability is triggered via the 'Create New Room' module (n_app field); inspect HotelDruid room name entries in the database for PHP code injection strings.
  • ·The exploit supports a '--noauth' mode, meaning the HotelDruid dashboard may be deployed without authentication, making the attack possible without credentials.
  • ·Fixed in HotelDruid version 3.0.4-1 (Debian bookworm/sid); bullseye remains open at time of advisory.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
osv8.8HIGH
vendor_debian8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.