CVE-2023-34537 PoC — HotelDruid 跨站脚本漏洞

Source

Associated Vulnerability

Readme

# CVE-2023-34537--- Reflected XSS found in HotelDruid V3.0.5


HotelDruid v3.0.5 are vulnerable to multipe XSS vulnerabilities. These vulnerabilities could allows remote authenticated attackers to inject arbitrary web script or HTML.

This is my third repo. Don't beat me if i didn't explain well.

Description of product : Hoteldruid is an open source program for hotel management (property management software) developed by DigitalDruid.Net.

Description of vulnerability : We found that this web application allows any authenticated user to inject arbitrary web script or HTML into affected parameter and again, dont beat me if i didn’t explain well.

Affected Webpage : creaprezzi.php
Affected Webpage : crearegole.php
Affected Parameter&Component : tipotariff from creaprezzi.php
Affected Parameter&Component : inizioperiodo from crearegole.php

Step 1: login and navigate to creaprezzi.php , the highligted part is the affected parameter in GUI

![image](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/2fc2983e-46e7-4e0d-be97-b3cbc64e2dc1)

Step 2: Select the drop down list, it could be any and intercept with Burpsuite , then  add the this payload after parameter tipotariff + your selectuon ID


payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

![payload_picture](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/e7a7be9d-9738-4051-846f-34a636369b62)

Step 3: Forward and Enjoy :-) .

![xss](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/0b16609e-05a4-4596-b0e9-ea57dbbb6a20)


Second Affected Webpage

Step 1 : login and navigate to crearegole.php , Screenshot below shows the affected parameter

![parameter_affected](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/16f69f3e-0156-4796-b9e2-607fa7868fe9)

![parameter_affected_2nd_tab](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/41c8be9a-a47e-49aa-8fcd-06da37e1b96c)

![parameter_affected_select](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/51e7efc8-e21a-4d2a-8e27-cfb9c9486cac)

Step 2 : you can just intercept with burp and added the xss payload after affected parameter.

payload used : a19yc%22%3e%3cscript%3ealert("THIS IS XSS FROM BB")%3c%2fscript%3emjf9oc2183m

![XSS_payload](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/53a26463-e938-4c99-a47b-b395b61245e9)

![XSS_payload_2nd_tab](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/2cb087f3-91e0-4368-9a0a-b71b1d5ca1a9)

Step 3 : Forward and Enjoy .


![XSS_PROOF](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/73f980ac-4866-4d69-bff5-a519be6ed44d)


![XSS_PROOF_2nd_tab](https://github.com/leekenghwa/CVE-2023-34537---XSS-reflected--found-in-HotelDruid-3.0.5/assets/45155253/6991f16b-edd0-45d4-808a-95dc5c3cb6b2)

PS: Vendor have acknowledged and will release the bug fixes in next version. no coffee for BB.....Zzzz

File Snapshot

 [4.0K]  /data/pocs/1652fd4d7eda1e2a8394d68dc0707c125e378bb2
└── [3.2K]  README.md

0 directories, 1 file

Remarks