CVE-2025-44203: 
Linux Debian vulnerability analysis and mitigation

CVE-2025-44203 affects HotelDruid versions 3.0.0 and 3.0.7, discovered and disclosed on June 20, 2025. The vulnerability exists in the creadb.php endpoint during the installation process, specifically before the 'create database' button is pressed. This security flaw allows unauthenticated attackers to exploit verbose SQL error messages to obtain sensitive information (NVD, GitHub).

The vulnerability is present in the creadb.php endpoint of HotelDruid's installation process. By sending malformed POST requests to this endpoint before the database creation step, attackers can exploit verbose SQL error messages. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The vulnerability is associated with CWE-209 (Generation of Error Message Containing Sensitive Information) and CWE-400 (Uncontrolled Resource Consumption) (NVD).

The successful exploitation of this vulnerability leads to two primary impacts: 1) Disclosure of sensitive information including administrator username, password hash, and salt, which could potentially lead to password recovery through brute force attacks if the password is weak, and 2) A Denial of Service (DoS) condition that prevents the administrator from logging in with their credentials, even when correct (GitHub, Wiz).

The primary mitigation is to ensure that during HotelDruid debian package configuration, the option 'Restrict HotelDruid access to localhost?' is set to 'Yes'. Additionally, administrators should consider implementing a Web Application Firewall (WAF) to help protect against unauthorized access to the installation endpoints (GitHub).