5 matches found
CVE-2023-39422
The CVE-2023-39422 issue affects the IRM Next Generation booking engine’s /irmdata/api/ endpoints. The root cause is that HMAC tokens used to authenticate requests are exposed in a client-side JavaScript file, which renders this extra safety mechanism ineffective. Descriptions across sources repe...
CVE-2023-39421
CVE-2023-39421 involves the RDPWin.dll component used by the IRM Next Generation booking engine, which contains hardcoded API keys for third‑party services (Twilio, Vonage). The root cause is hardcoded credentials in RDPWin.dll, enabling unrestricted interaction with these services. NVD assigns a...
CVE-2023-39423
CVE-2023-39423 affects RDPData.dll, where the /irmdata/api/common endpoint processes session IDs and other features. The underlying issue is improper neutralization of SQL commands, enabling a UNION-based SQL injection that can leak the sessions table and obtain currently valid sessions, allowing...
CVE-2023-39424
CVE-2023-39424 affects the RDPngFileUpload.dll component used by the IRM Next Generation booking system. The vulnerability allows a remote attacker to upload arbitrary content (e.g., a web shell) to the SQL database and execute it with SYSTEM privileges. Authentication is required for exploitatio...
CVE-2023-39420
CVE-2023-39420 affects the RDPCore.dll component used in the IRM Next Generation booking engine. The vulnerability arises from a routine that computes a daily password for an admin account, enabling a remote user who can access a customer deployment to gain full, unrestricted access to the applic...