Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-29839 PoC — Hotel Druid 跨站脚本漏洞

Source
https://github.com/jichngan/CVE-2023-29839
Associated Vulnerability
Title:Hotel Druid 跨站脚本漏洞 (CVE-2023-29839)
Description:A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.
Description
Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability
Readme
# CVE-2023-29839 Hotel Druid 3.0.4 Stored Cross Site Scripting Vulnerability
CMS Link: https://www.hoteldruid.com/

Version Affected: 3.0.4

Severity & CVSS: 5.4 (Medium) | Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 

A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages in Version 3.0.4 of the Hotel Druid application that allows for arbitrary execution of commands. 

Vulnerable Fields: Surname, Name, Nickname in the "Document" function

Affected Links: `/visualizza_contratto.php`

Triggering the payload: Visit the **Example** document preview function

Remediation: Update to HotelDruid version 3.0.5

Steps to Reproduce: 
1. Enter a XSS payload into a client's name. This can be done during room reservation or a brand new registration of a client. The payload used is `<script>alert(document.domain)</script>`

<img width="1438" alt="client_payload" src="https://user-images.githubusercontent.com/34933203/235818739-9a71fc4c-c0c4-4646-9772-42346b953bb9.png">

2. Navigate to "Clients" tab and select the client with the XSS payload by clicking on the "N" column
3. In this page, there are 2 ways to trigger the stored XSS payload. The first is by viewing the **Example** document in the top right hand corner of the page

<img width="1434" alt="Screenshot 2023-03-10 at 2 08 13 PM" src="https://user-images.githubusercontent.com/34933203/235818836-7d4e8c89-8193-4a47-b14e-21d45f735061.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235818870-1b7305da-bd6d-4387-b021-62076668de83.png">

4. The second way to trigger the XSS payload is to navigate to the bottom of the page where you can modify the client's data
5. Once again, select the **Example** document and click on "View"

<img width="1433" alt="Screenshot 2023-03-10 at 2 10 13 PM" src="https://user-images.githubusercontent.com/34933203/235818954-e53d0088-cf7c-4140-8c4c-f8051b7dac23.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235818973-12fba289-ee66-4e9b-88fc-18eff5bd53ad.png">

6. There are also other methods to trigger the XSS payload. By navigating to "Reservations" and modifying the client's reservation

<img width="1435" alt="Screenshot 2023-03-10 at 2 17 48 PM" src="https://user-images.githubusercontent.com/34933203/235819057-cc36c598-6bc4-4f1b-afdf-1d8e151ace02.png">

7. Scroll to the bottom of the page and once again select the **Example** document and click on "View"

<img width="1434" alt="Screenshot 2023-03-10 at 2 18 12 PM" src="https://user-images.githubusercontent.com/34933203/235819092-b0d2b0d9-2494-4c57-afe6-2afaefeaa6be.png">

<img width="1438" alt="Screenshot 2023-03-10 at 2 08 49 PM" src="https://user-images.githubusercontent.com/34933203/235819105-b7c8cfec-833e-4a1b-941f-dd7d092f800f.png">
File Snapshot

 [4.0K]  /data/pocs/be3a961db84c0680b5bc73380cfee31cff848514
└── [2.8K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →