Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2025-44203

In HotelDruid 3.0.0 and 3.0.7, the unauthenticated database-setup endpoint creadb.php can be reached before setup is completed and performs database creation without locking. By sending many concurrent requests, an attacker can trigger a race condition during which verbose SQL error messages disclose the administrator username, password hash, and salt. The same race leaves the setup partially initialized, so the administrator can no longer log in with the credentials set during installation, resulting in a denial of service that requires reinstallation to recover. Remote exploitation additionally requires the installation to allow non-localhost access. The vulnerability was fixed in version 3.0.8.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.005
EPSS Ranking 39.1%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2025-44203


Contact Us

Shodan ® - All rights reserved