CVE-2021-42948

HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's.

CVSS v3 3.7 LOW

3.7^/10

CVSS v3 : LOW

Vector :

Exploitability : 2.2 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/dhammon/HotelDruid-CVE-2021-42948	Third Party Advisory
https://github.com/dhammon/Security	Broken Link
https://www.hoteldruid.com/	Product Vendor Advisory
https://github.com/dhammon/HotelDruid-CVE-2021-42948	Third Party Advisory
https://github.com/dhammon/Security	Broken Link
https://www.hoteldruid.com/	Product Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:digitaldruid:hoteldruid:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2022-09-16 16:15

Updated : 2024-11-21 06:28

NVD link : CVE-2021-42948

Mitre link : CVE-2021-42948

CVE.ORG link : CVE-2021-42948

JSON object : View

Products Affected

digitaldruid

hoteldruid

CWE

CWE-319

Cleartext Transmission of Sensitive Information

{"id": "CVE-2021-42948", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 3.7, "attackVector": "NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 1.4, "exploitabilityScore": 2.2}]}, "published": "2022-09-16T16:15:09.960", "references": [{"url": "https://github.com/dhammon/HotelDruid-CVE-2021-42948", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/dhammon/Security", "tags": ["Broken Link"], "source": "cve@mitre.org"}, {"url": "https://www.hoteldruid.com/", "tags": ["Product", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://github.com/dhammon/HotelDruid-CVE-2021-42948", "tags": ["Third Party Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/dhammon/Security", "tags": ["Broken Link"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://www.hoteldruid.com/", "tags": ["Product", "Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-319"}]}], "descriptions": [{"lang": "en", "value": "HotelDruid Hotel Management Software v3.0.3 and below was discovered to have exposed session tokens in multiple links via GET parameters, allowing attackers to access user session id's."}, {"lang": "es", "value": "Se ha detectado que HotelDruid Hotel Management Software versiones v3.0.3 y anteriores, ten\u00eda tokens de sesi\u00f3n expuestos en m\u00faltiples enlaces por medio de par\u00e1metros GET, lo que permit\u00eda a atacantes acceder a identificadores de sesi\u00f3n de usuarios"}], "lastModified": "2024-11-21T06:28:19.127", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:digitaldruid:hoteldruid:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4D86C728-8983-431F-AEA0-6015B8A5AD23", "versionEndIncluding": "3.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}