CVE-2023-34537: 
Linux Debian vulnerability analysis and mitigation

A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in HotelDruid version 3.0.5, an open-source hotel management software developed by DigitalDruid.Net. The vulnerability was identified and assigned CVE-2023-34537 in June 2023. This security flaw allows authenticated attackers to inject malicious code or commands into affected webpage parameters to trick users and potentially exfiltrate data (NVD, Ubuntu).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.4 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. The XSS vulnerability specifically affects two webpages: creaprezzi.php (parameter: tipotariff) and crearegole.php (parameter: inizioperiodo). An authenticated attacker can inject arbitrary web script or HTML into these affected parameters to execute malicious code in the victim's browser (NVD, GitHub POC).

The vulnerability allows attackers to execute arbitrary web scripts or HTML in the context of the victim's browser session. This can lead to user session hijacking, browser data theft, and potential exfiltration of sensitive information. The attack requires user interaction and authenticated access to be successful (NVD).

The vulnerability has been fixed in versions after 3.0.5. According to the Debian security tracker, the fix has been implemented in version 3.0.6-1. Organizations using affected versions should upgrade to the latest version to mitigate this vulnerability (Debian Tracker).