167 matches found
CVE-2024-57601
Consolidated details show a data-venue XSS vulnerability in Alex Tselegidis EasyAppointments v1.5.0, exploitable via the unfiltered legal_settings parameter. The CVE-2024-57601 entry is supported by multiple connected sources (Red Hat, OSV, OSV.dev, GHSA, Snyk, CNNVD, CIRCL) that consistently des...
CVE-2024-57602
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file...
CVE-2024-57602
CVE-2024-57602 concerns EasyAppointments v1.5.0. Multiple connected sources confirm a vulnerability in the application where a missing permission validation in the file index.php enables a remote attacker to escalate privileges. The issue is described as unauthenticated, network-based, with HIGH ...
CVE-2024-57601
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legalsettings parameter...
CVE-2024-57602
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file...
CVE-2022-1397
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypasss. The vulnerability is due to insufficient access controls in the GET, PUT, DELETE /secretaries/secretaryId endpoints, allowing a low privileged user to fetch, modify, or delete a secretary's data...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /admins endpoint, allowing low privileged users to create high privileged users admins, resulting in privilege escalation...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, DELETE /webhooks/webhookId endpoints, allowing low privileged users to fetch, modify, or delete webhooks of any user, resulting in unauthorized...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /customers endpoint, allowing low privileged users to create customer accounts, resulting in unauthorized data manipulation...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the POST /secretaries endpoint, allowing low privileged users to create other low privileged users secretaries, resulting in unauthorized data manipulation...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, and DELETE endpoints for /customers/customerId, allowing low privileged users to fetch, modify, or delete other low privileged users customers...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to insufficient access control checks on the GET, PUT, and DELETE endpoints for /settings/settingName, allowing low privileged users to fetch, modify, or delete settings of any user, including admin...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization checks in the GET, PUT, and DELETE methods for the /categories/categoryId endpoint. This allows a low-privileged user to fetch, modify, or delete the category...
Authorization Bypass
alextselegidis/easyappointments is vulnerable for Authorization Bypass. The vulnerability is due to insufficient access controls on the GET, PUT, and DELETE methods for /appointments/appointmentId, allowing a low-privileged user to fetch, modify, or delete any user's appointment, including those ...
Authorization Bypass
alextselegidis/easyappointments is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization checks in the POST /appointments endpoint, allowing a low-privileged user to create appointments for any user in the system, including administrators. Attackers can exploit th...
CVE-2023-3288 A BOLA vulnerability in POST /providers in EasyAppointments < 1.5.0
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user provider in the system. This results in privilege escalation...
CVE-2023-3288 A BOLA vulnerability in POST /providers in EasyAppointments < 1.5.0
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user provider in the system. This results in privilege escalation...
CVE-2023-38055 A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} in EasyAppointments < 1.5.0
A BOLA vulnerability in GET, PUT, DELETE /services/serviceId allows a low privileged user to fetch, modify or delete the services of any user including admin. This results in unauthorized access and unauthorized data manipulation...
CVE-2023-38055 A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} in EasyAppointments < 1.5.0
A BOLA vulnerability in GET, PUT, DELETE /services/serviceId allows a low privileged user to fetch, modify or delete the services of any user including admin. This results in unauthorized access and unauthorized data manipulation...