CVE-2023-38052

🗓️ 09 Jul 2024 10:27:51Reported by palo_altoType

cve🔗 web.nvd.nist.gov👁 44 Views🌐 WEB

BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows low privileged user to access & modify high privileged user. Results in unauthorized access & data manipulation

Reporter	Title	Published	Views	Family All 7
CNNVD	Easy!Appointments Security Vulnerability	9 Jul 202400:00	–	cnnvd
Cvelist	CVE-2023-38052 A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} in EasyAppointments < 1.5.0	9 Jul 202410:27	–	cvelist
EUVD	EUVD-2023-41878	3 Oct 202520:07	–	euvd
NVD	CVE-2023-38052	9 Jul 202411:15	–	nvd
Positive Technologies	PT-2024-12686 · Easyappointments +1 · Alextselegidis/Easyappointments +1	9 Jul 202400:00	–	ptsecurity
Veracode	Authorization Bypass	12 Jul 202404:54	–	veracode
Vulnrichment	CVE-2023-38052 A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} in EasyAppointments < 1.5.0	9 Jul 202410:27	–	vulnrichment

NVD

Node

easyappointments easyappointmentsRange<1.5.0

[
  {
    "collectionURL": "https://github.com/alextselegidis/easyappointments",
    "defaultStatus": "unaffected",
    "packageName": "alextselegidis/easyappointments",
    "product": "easyappointments",
    "versions": [
      {
        "lessThan": "1.5.0",
        "status": "affected",
        "version": "*",
        "versionType": "git"
      }
    ]
  }
]

Source	Link
github	www.github.com/alextselegidis/easyappointments

Parameter	Position	Path	Description	CWE
adminId	path	/admins/{adminId}	BOLA: low-privilege user can access/modify/delete high-privileged admin via identifier in /admins/{adminId} for GET/PUT/DELETE	CWE-639

21 Nov 2024 08:12Current

8.3High risk

Vulners AI Score8.3

CVSS 3.18.1 - 9.9

EPSS0.00223

SSVC

CWE-639