#1104020 hoteldruid: CVE-2023-43378

Package:
src:hoteldruid
Source:
src:hoteldruid
Submitter:
Salvatore Bonaccorso
Date:
2026-04-25 14:19:02 UTC
Severity:
normal
Tags:
#1104020#5
Date:
2025-04-24 08:16:01 UTC
From:
To:
Hi,

The following vulnerability was published for hoteldruid.

CVE-2023-43378[0]:
| A cross-site scripting (XSS) vulnerability in Hoteldruid v3.0.5
| allows attackers to execute arbitrary web scripts or HTML via a
| crafted payload injected into the commento1_1 parameter.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-43378
https://www.cve.org/CVERecord?id=CVE-2023-43378
[1] https://flashy-lemonade-192.notion.site/Cross-site-scripting-in-hoteldruid-version-3-0-5-via-commento1_1-post-parameter-44ff18cb61cd4a80bbba75d5e4360ee4

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

#1104020#10
Date:
2026-04-25 14:01:48 UTC
From:
To:
Hello,
this bug was fixed in hoteldruid 3.0.6 but not originally included in
the changelog as the CVE number was not available. The current debian
changelog has added the CVE number as fixed in version 3.0.6, instead of
adding it to current version 3.0.8.

Best regards,
Marco De Santis