CVE-2023-29839

Name	CVE-2023-29839
Description	A Stored Cross Site Scripting (XSS) vulnerability exists in multiple pages of Hotel Druid version 3.0.4, which allows arbitrary execution of commands. The vulnerable fields are Surname, Name, and Nickname in the Document function.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
Debian Bugs	1035671

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
hoteldruid (PTS)	buster	2.3.2-1	vulnerable
	bullseye	3.0.1-1	vulnerable
	bookworm, sid	3.0.4-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
hoteldruid	source	(unstable)	(unfixed)			1035671

Notes

[bookworm] - hoteldruid <no-dsa> (Minor issue)
[bullseye] - hoteldruid <no-dsa> (Minor issue)
[buster] - hoteldruid <no-dsa> (Minor issue)
https://github.com/jichngan/CVE-2023-29839
Fixed upstream in 3.0.5