Unrated severityNVD Advisory· Published Sep 7, 2023· Updated Sep 26, 2024

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in RDPngFileUpload.dll

CVE-2023-39424

Description

A vulnerability in RDPngFileUpload.dll, as used in the IRM Next Generation booking system, allows a remote attacker to upload arbitrary content (such as a web shell component) to the SQL database and execute it with SYSTEM privileges. This vulnerability requires authentication to be exploited but can be paired with another vulnerability in the platform (CVE-2023-39420, which grants access to hardcoded credentials) to carry the attack without having assigned credentials.

Affected products

Resort Data Processing, Inc./Irm Next Generationv5
Range: 1.0.0.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

bitdefender.com/blog/labs/check-out-with-extra-charges-vulnerabilities-in-hotel-booking-engine-explainedmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000