CVE-2025-25748

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-25748

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-25748.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-25748

Related

UBUNTU-CVE-2025-25748

Withdrawn

2025-03-14T13:04:29Z

Published

2025-03-11T18:15:32Z

Modified

2025-03-21T23:00:25.538615Z

Summary

[none]

Details

A CSRF vulnerability in the gestioneutenti.php endpoint of HotelDruid 3.0.7 allows attackers to perform unauthorized actions (e.g., modifying user passwords) on behalf of authenticated users by exploiting the lack of origin or referrer validation and the absence of CSRF tokens. NOTE: this is disputed because there is an idsessione CSRF token.

References

Affected packages

Debian:11 / hoteldruid

Package

Name: hoteldruid
Purl: pkg:deb/debian/hoteldruid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.1-1

3.0.3-1

3.0.4-1

3.0.5-1

3.0.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / hoteldruid

Package

Name: hoteldruid
Purl: pkg:deb/debian/hoteldruid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.4-1

3.0.5-1

3.0.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / hoteldruid

Package

Name: hoteldruid
Purl: pkg:deb/debian/hoteldruid?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.0.4-1

3.0.5-1

3.0.6-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}