The /irmdata/api/ endpoints exposed by the IRM Next Generation booking engine authenticates requests using HMAC tokens. These tokens are however exposed in a JavaScript file loaded on the client side, thus rendering this extra safety mechanism useless.
References
| Link | Resource |
|---|---|
| https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained | Third Party Advisory |
| https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained | Third Party Advisory |
Configurations
Configuration 1 (hide)
|
History
21 Nov 2024, 08:15
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.5 |
| References | () https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained - Third Party Advisory |
12 Sep 2023, 00:08
| Type | Values Removed | Values Added |
|---|---|---|
| References | (MISC) https://bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explained - Third Party Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
| First Time |
Resortdata
Resortdata internet Reservation Module Next Generation |
|
| CPE | cpe:2.3:a:resortdata:internet_reservation_module_next_generation:-:*:*:*:*:*:*:* |
07 Sep 2023, 13:42
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2023-09-07 13:15
Updated : 2024-11-21 08:15
NVD link : CVE-2023-39422
Mitre link : CVE-2023-39422
CVE.ORG link : CVE-2023-39422
JSON object : View
Products Affected
resortdata
- internet_reservation_module_next_generation
CWE
CWE-798
Use of Hard-coded Credentials