CVE-2019-9085

Name of the Vulnerable Software and Affected Versions Hoteldruid versions prior to 2.3.1

Description The issue allows remote authenticated users to cause a denial of service, specifically an invoice-creation outage, by sending invalid arguments via the n file parameter to the "visualizza contratto.php" endpoint. This can be achieved by providing any non-numeric value for the n file parameter, as demonstrated by a query string to "visualizza contratto.php" with parameters such as anno=2019&id transazione=1&numero contratto=1&n file=a.

Recommendations For Hoteldruid versions prior to 2.3.1, update to version 2.3.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the "visualizza contratto.php" endpoint or validating the n file parameter to ensure only numeric values are accepted.