25 matches found
CVE-2022-1397
CVE-2022-1397 affects Easy!Appointments (GitHub: alextselegidis/easyappointments). The vulnerability is an API privilege escalation arising from inadequate authorization checks: the API validates existence of a user but not their permissions, allowing a low-privileged user (e.g., provider) to cre...
CVE-2022-0482
Easy!Appointments before 1.4.3 is affected by a Broken Access Control vulnerability that allows an unauthorized user to retrieve sensitive appointment data via a public-facing API endpoint (examples reference /index.php/backend_api/ajax_get_calendar_events) due to missing authentication/permissio...
CVE-2023-2105
CVE-2023-2105 concerns the Easy!Appointments project by alextselegidis. The issue is a session fixation vulnerability where the application does not generate a new ea_session cookie after user authentication, allowing a malicious actor to inject a session cookie and gain access after login. The f...
CVE-2023-3289
CVE-2023-3289 affects Easy!Appointments (versions prior to 1.5.0). A BOLA in POST /services allows a low-privileged user to create a service for any user (including admin), leading to unauthorized data manipulation. The connected documents provide explicit description of the affected endpoint and...
CVE-2024-57602
CVE-2024-57602 concerns EasyAppointments v1.5.0. Multiple connected sources confirm a vulnerability in the application where a missing permission validation in the file index.php enables a remote attacker to escalate privileges. The issue is described as unauthenticated, network-based, with HIGH ...
CVE-2024-57601
Consolidated details show a data-venue XSS vulnerability in Alex Tselegidis EasyAppointments v1.5.0, exploitable via the unfiltered legal_settings parameter. The CVE-2024-57601 entry is supported by multiple connected sources (Red Hat, OSV, OSV.dev, GHSA, Snyk, CNNVD, CIRCL) that consistently des...
CVE-2023-1269
CVE-2023-1269 affects Easy!Appointments (GitHub repo alextselegidis/easyappointments) prior to version 1.5.0. The root cause is hard-coded credentials in the repository. Impact described in sources centers on credential exposure; exploitation details are not provided in the documents. A fix is av...
CVE-2023-3288
CVE-2023-3288 affects Easy!Appointments, where a BOLA flaw on POST /providers allows a low-privileged user to create a privileged provider, enabling privilege escalation. Multiple connected sources (including CVELIST entry Easy!Appointments
CVE-2023-3286
CVE-2023-3286 affects Easy!Appointments prior to version 1.5.0. The vulnerability is described as a BOLA issue on POST /secretaries that allows a low-privileged user to create another low-privileged secretary account, enabling unauthorized data manipulation. The connected sources consistently fra...
CVE-2023-38048
CVE-2023-38048 affects Easy!Appointments (older releases) via a BOLA vulnerability in GET, PUT, DELETE /providers/{providerId}, enabling a low-privileged user to fetch, modify, or delete a privileged provider account. The vulnerability is described consistently across sources as an insecure autho...
CVE-2023-2104
CVE-2023-2104 affects the easyappointments project (extending across multiple feeds). The vulnerability is described as Improper Access Control in the GitHub repository alextselegidis/easyappointments prior to version 1.5.0. Multiple connected sources confirm that versions 1.4.3 and earlier allow...
CVE-2023-3287
Vulnerability details (CVE-2023-3287): Easy!Appointments
CVE-2023-38050
Easy!Appointments is affected by a BOLA vulnerability in the GET, PUT, DELETE /webhooks/{webhookId} endpoints, enabling a low-privileged user to fetch, modify, or delete any user’s webhook (including admin). Root cause: insufficient access control. Impact: unauthorized access and data manipulatio...
CVE-2023-38055
The CVE CVE-2023-38055 affects Easy!Appointments (vulnerable in versions before 1.5.0) via the GET, PUT, and DELETE /services/{serviceId} endpoint. The root cause is an insufficient access-control check in this interface, enabling a low-privileged user to fetch, modify, or delete services for any...
CVE-2023-38049
CVE-2023-38049 (Easy!Appointments) : The connected sources confirm a BOLA vulnerability in GET, PUT, and DELETE /appointments/{appointmentId} affecting Easy!Appointments versions
CVE-2023-1367
CVE-2023-1367 — Code Injection in easyappointments (GitHub: alextselegidis/easyappointments) Concrete details in connected documents confirm a vulnerability in Easy!Appointments versions prior to 1.5.0 caused by unescaped output, enabling code injection. Public sources note an HTML injection vect...
CVE-2023-2102
CVE-2023-2102 is a stored XSS vulnerability in the GitHub repository alextselegidis/easyappointments, affecting versions prior to 1.5.0. Multiple sources (OSV, GHSA, NVD, CVE list, CNNVD, PT-PTSecurity) corroborate that the issue is a stored XSS vulnerability in Easy!Appointments before 1.5.0, wi...
CVE-2023-2103
The CVE-2023-2103 entry concerns a stored Cross-site Scripting (XSS) vulnerability in the GitHub repository for alextselegidis/easyappointments , present in versions prior to 1.5.0 . Multiple connected sources describe the issue as a stored XSS triggered by user input, with a patch available at a...
CVE-2023-38052
CVE-2023-38052 describes a BOLA vulnerability in the EasyAppointments API where GET, PUT, DELETE /admins/{adminId} endpoints permit a low-privileged user to fetch, modify, or delete a high-privileged admin, leading to unauthorized access and data manipulation. Multiple sources associate this with...
CVE-2023-3290
Consolidated from connected records, CVE-2023-3290 applies to EasyAppointments, specifically the vulnerability in POST /customers. The root cause is an insecure authorization check that lets a low-privileged user create another low-privileged customer, enabling unauthorized data manipulation. Rel...
CVE-2023-38051
CVE-2023-38051 affects Easy!Appointments prior to 1.5.0. The vulnerability is a BOLA (authorization) issue in GET, PUT, DELETE /secretaries/{secretaryId}, allowing a low-privileged attacker to fetch, modify, or delete a secretary’s data. Impact described across multiple sources: unauthorized acce...
CVE-2023-38053
CVE-2023-38053 describes a BOLA vulnerability in EasyAppointments (GET, PUT, DELETE /settings/{settingName}) where a low-privileged user can fetch, modify, or delete the settings of any user (including admins) due to insufficient access control. Impact documented as unauthorized access and unauth...
CVE-2023-38047
CVE-2023-38047 affects Easy!Appointments prior to 1.5.0. The issue is an authorization flaw in GET, PUT, and DELETE on /categories/{categoryId} that lets a low-privileged user fetch, modify, or delete category data for any user (including admins), causing unauthorized access and data manipulation...
CVE-2023-38054
CVE-2023-38054 affects Easy!Appointments; a BOLA flaw in GET/PUT/DELETE /customers/{customerId} lets a low-privilege user fetch/modify/delete other low-privilege customers. Root cause: insufficient access checks. Impact: unauthorized data access and manipulation. Affected: Easy!Appointments versi...
CVE-2023-3700
CVE-2023-3700 affects Easy!Appointments prior to 1.5.0 (GitHub: alextselegidis/easyappointments). The root cause is improper access control enabling authorization bypass via a user-controlled key, allowing access to restricted functions. The issue is addressed by upgrading to version 1.5.0 or lat...