CVE-2023-39424

CRITICAL

Resortdata Internet Reservation Module Next Generation - Injection

Title source: rule

Description

A vulnerability in RDPngFileUpload.dll, as used in the IRM Next Generation booking system, allows a remote attacker to upload arbitrary content (such as a web shell component) to the SQL database and execute it with SYSTEM privileges. This vulnerability requires authentication to be exploited but can be paired with another vulnerability in the platform (CVE-2023-39420, which grants access to hardcoded credentials) to carry the attack without having assigned credentials.

References (1)

Core 1

Core References

Third Party Advisory

https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained

Scores

CVSS v3 9.9

EPSS 0.0041

EPSS Percentile 61.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-74 CWE-434

Status published

Products (1)

resortdata/internet_reservation_module_next_generation 5.3.2.15

Published Sep 07, 2023

Tracked Since Feb 18, 2026