Fix: False Positives in CVE-2021-37833 (HotelDruid Fingerprint)

[Eren-Akdag]

PR Information

This PR updates the CVE-2021-37833 (Hotel Druid 3.0.2 - Cross-Site Scripting) nuclei template to address False Positive issues encountered during enterprise vulnerability scanning.

Motivation:
During routine scanning of internal corporate assets, we observed that the previous version of this template triggered False Positives against generic web endpoints, custom SSO error portals, and proxy default pages that blindly echo/reflect user input appended to the URI. Because the previous template solely relied on detecting the payload string (</script><script>alert(document.domain)</script>) alongside a 200 OK status and a text/html header, these generic HTML reflections incorrectly triggered medium-severity XSS alerts, even when the asset was completely unrelated to HotelDruid.

Solution Introduced:
To improve the fidelity of the template and eliminate false positive findings on generic corporate assets, a Product Fingerprinting matcher has been introduced.

      - type: word
        part: body
        words:
          - 'hoteldruid'
        case-insensitive: true

By ensuring the hoteldruid technology signature is explicitly identified within the response body footprint (which is always present in legitimate HotelDruid installations through its <title>, copyright notices, and stylesheet links), this change successfully avoids false positives caused by blind reflection on unrelated applications, while preventing any false negatives against legitimately vulnerable instances.

• Updated http/cves/2021/CVE-2021-37833.yaml
• References:
  • NVD - CVE-2021-37833

Template validation

• Validated with a host running a vulnerable version and/or configuration (True Positive)
• Validated with a host running a patched version and/or configuration (avoid False Positive)

Additional Details

Prior to this update, a typical reflection scenario causing a False Positive looked like this:

Request Payload Sent	Server Response Header	Server Response Body (RAW)
GET /visualizza_tabelle.php?a...%3C%2Fscript%3E%3C... HTTP/1.1 Host: [REDACTED]	HTTP/1.1 200 OK Server: nginx Content-Type: text/html	... <input value="[REDACTED_INTERNAL_PATH]/?wo03b</script><script>alert(document.domain)</script>=" name="redirect_url" type="hidden"> ...

As observed above, the payload is blindly reflected back inside a hidden input field of a completely different internal portal application following a parameter blind reflection. Since the word "hoteldruid" is entirely missing from the response body, the updated template successfully ignores this unrelated endpoint.

Debugging & Validation Flow:

# 1. Validation against a known false positive endpoint
$ nuclei -t http/cves/2021/CVE-2021-37833.yaml -u https://[REDACTED] -fhr

[INF] Executing 1 signed templates from projectdiscovery/nuclei-templates
[INF] Targets loaded for current scan: 1
[INF] Scan completed in 1.450s. No results found.  ✅ (False Positive Eliminated)

# 2. Validation against a real HotelDruid environment (True Positive Target)
$ nuclei -t http/cves/2021/CVE-2021-37833.yaml -u https://[REDACTED] -fhr

[CVE-2021-37833] [http] [medium] https://[REDACTED]/visualizza_tabelle.php?...
[INF] Scan completed in 1.890s. 1 matches found.   ✅ (No False Negatives)

None of the prerequisites are obligatory; they are merely intended to speed the review process.

Additional References:

• Nuclei Template Creation Guideline
• Nuclei Template Matcher Guideline
• Nuclei Template Contribution Guideline
• PD-Community Discord server

[neo-by-projectdiscovery-dev]

Neo - Nuclei Template Review

No security issues found

Highlights

• Metadata additions only: co-author s4e-io, EPSS score/percentile fields, CPE identifier, impact and remediation descriptions
• Core security logic unchanged: XSS payload matcher, hoteldruid fingerprint matcher, and matchers-condition remain identical to previous review
• Template validation scope: Standard metadata enrichment following nuclei-templates guidelines

Hardening Notes

• The product fingerprinting approach validated in the initial review (df04d5d) remains sound and unchanged
• The AND condition with 4 matchers (XSS reflection + hoteldruid presence + text/html + status 200) continues to provide strong detection confidence
• Added metadata fields (EPSS, CPE, impact, remediation) improve template documentation but do not affect runtime security detection

_{Comment @pdneo help for available commands. · Open in Neo}