Hotels_Server through 2018-11-05 has SQL Injection via the controller/fetchpwd.php username parameter.
hotels server project hotels server