CVE-2023-39422

🗓️ 07 Sep 2023 12:22:52Reported by BitdefenderType

cve🔗 web.nvd.nist.gov👁 2479 Views🌐 WEB

/irmdata/api/ endpoints authentication issu

Reporter	Title	Published	Views	Family All 8
Circl	CVE-2023-39422	20 Sep 202312:34	–	circl
CNNVD	engine Trust Management Gaps	7 Sep 202300:00	–	cnnvd
Cvelist	CVE-2023-39422 Use of Hard-coded Credentials in multiple /irmdata/api/ endpoints	7 Sep 202312:22	–	cvelist
EUVD	EUVD-2023-43146	3 Oct 202520:07	–	euvd
NVD	CVE-2023-39422	7 Sep 202313:15	–	nvd
Prion	Code injection	7 Sep 202313:15	–	prion
Positive Technologies	PT-2023-26943 · Unknown · Irm Next Generation	7 Sep 202300:00	–	ptsecurity
Vulnrichment	CVE-2023-39422 Use of Hard-coded Credentials in multiple /irmdata/api/ endpoints	7 Sep 202312:22	–	vulnrichment

NVD

Node

resortdata internet_reservation_module_next_generationMatch-

[
  {
    "defaultStatus": "unaffected",
    "modules": [
      "/irmdata/api/"
    ],
    "product": "IRM Next Generation",
    "vendor": "Resort Data Processing, Inc.",
    "versions": [
      {
        "status": "unknown",
        "version": "5"
      }
    ]
  }
]

Source	Link
bitdefender	www.bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained

Parameter	Position	Path	Description	CWE
Authorization	header	/irmdata/api/	HMAC authentication tokens are exposed in client-side JavaScript, enabling attackers to reuse valid tokens to access /irmdata/api/ endpoints.	CWE-798
X-HMAC-Token	header	/irmdata/api/	HMAC authentication tokens are exposed in client-side JavaScript, enabling attackers to reuse valid tokens to access /irmdata/api/ endpoints.	CWE-798
Cookie	header	/irmdata/api/	HMAC authentication tokens are exposed in client-side JavaScript, enabling attackers to reuse valid tokens to access /irmdata/api/ endpoints.	CWE-798

21 Nov 2024 08:15Current

7.3High risk

Vulners AI Score7.3

CVSS 3.16.5 - 9.8

EPSS0.00081

SSVC

CWE-798