cbcvebase.
CVE-2023-43373
published 2023-09-20

CVE-2023-43373: Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.75%
88.5th percentile
Hoteldruid v3.0.5 was discovered to contain a SQL injection vulnerability via the n_utente_agg parameter at /hoteldruid/interconnessioni.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianhoteldruid< hoteldruid 3.0.6-1 (sid)hoteldruid 3.0.6-1 (sid)
digitaldruidhoteldruid

Detection & IOCsextracted from sources · hover to see the quote

path/hoteldruid/interconnessioni.php
commandn_utente_agg=1' AND (SELECT 3869 FROM (SELECT(SLEEP(7)))qSXB)-- QMbZ
  • Detect exploitation attempts by monitoring POST requests to /interconnessioni.php containing time-based blind SQLi payloads in the n_utente_agg parameter (e.g., SLEEP() calls). A server response time >= 7 seconds combined with HTTP 200 is a strong indicator of successful injection.
  • The attack uses a multipart/form-data POST body with required fields: anno, id_sessione, modifica_interconnessione=SI, modifica_utente_agg=SI, and the injected n_utente_agg parameter. Alert on multipart POST requests to /interconnessioni.php where n_utente_agg contains SQL metacharacters or SLEEP/SELECT subqueries.
  • Use FOFA/Shodan queries to identify exposed Hoteldruid instances as potential targets: FOFA title="hoteldruid", Shodan title:"hoteldruid".
  • ·The vulnerability is present in Hoteldruid v3.0.5 specifically. Debian sid has resolved the issue in package version 3.0.6-1, but bookworm and bullseye remain open/unpatched as of the advisory.
  • ·The Nuclei template uses a two-step flow: first confirming the target is a Hoteldruid instance (body contains 'hoteldruid'), then sending the SQLi payload. Detection logic should similarly confirm application identity before flagging.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_debian9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.