Lucene search

Veracode Vulnerability DatabaseVERACODE:48005

HistoryJul 10, 2024 - 7:34 a.m.

Authorization Bypass

2024-07-1007:34:40

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

authorization bypass

vulnerability

easyappointments

improper authorization checks

get

put

delete

low-privileged user

unauthorized access

data manipulation

attackers

sensitive information

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

alextselegidis/easyappointments is vulnerable to is vulnerable to Authorization Bypass. The vulnerability is due to improper authorization checks in the GET, PUT, and DELETE methods for the /categories/{categoryId} endpoint. This allows a low-privileged user to fetch, modify, or delete the category data of any user, including administrators, resulting in unauthorized access and data manipulation. Attackers can exploit this to alter or delete sensitive information without proper authorization.

References

github.com/advisories/GHSA-8hrj-832h-352v

github.com/alextselegidis/easyappointments

CVSS3

8.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:L

AI Score

6.3

Confidence

High

EPSS

0.001

Percentile

20.1%

JSON

Related for VERACODE:48005