CVE-2023-39421 HIGH

CVE-2023-39421: Use of Hard-coded Credentials in RDPWin.dll

Vendor Resort Data Processing, Inc.
Product IRM Next Generation
Weakness CWE-798 · Hardcoded credentials
Published September 7, 2023
Last update September 26, 2024

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N

What the vulnerability does

01Description

The RDPWin.dll component as used in the IRM Next Generation booking engine includes a set of hardcoded API keys for third-party services such as Twilio and Vonage. These keys allow unrestricted interaction with these services.

Key dates

02Disclosure timeline

September 7, 2023 CVE published
September 26, 2024 Record updated