CVE-2023-29839

NameCVE-2023-29839
DescriptionA Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1035671

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
hoteldruid (PTS)jessie2.1.0-1vulnerable
stretch2.2.0-1vulnerable
buster2.3.2-1vulnerable
bullseye3.0.1-1vulnerable
bookworm3.0.4-1vulnerable
sid, trixie3.0.6-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
hoteldruidsourcejessie(unfixed)end-of-life
hoteldruidsourcestretch(unfixed)end-of-life
hoteldruidsource(unstable)3.0.5-11035671

Notes

[bookworm] - hoteldruid <no-dsa> (Minor issue)
[bullseye] - hoteldruid <no-dsa> (Minor issue)
[buster] - hoteldruid <no-dsa> (Minor issue)
https://github.com/jichngan/CVE-2023-29839
Fixed upstream in 3.0.5

Search for package or bug name: Reporting problems