Vulnerabilities > CVE-2023-39420 - Unspecified vulnerability in Resortdata Internet Reservation Module Next Generation 5.3.2.15

CVSS 8.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

LOW

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

resortdata

NVD

Published: 2023-09-07

Updated: 2024-11-21

Summary

The RDPCore.dll component as used in the IRM Next Generation booking engine, allows a remote user to connect to customers with an "admin" account and a corresponding password computed daily by a routine inside the DLL file. Once reverse-engineered, this routine can help an attacker generate the daily password and connect to application customers. Given that this is an administrative account, anyone logging into a customer deployment has full, unrestricted access to the application.

Vulnerable Configurations

Part	Description	Count
Application	Resortdata Resortdata Internet Reservation Module Next Generation 5.3.2.15	1

References

https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained/
https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained/