Lucene search

Palo_altoVULNRICHMENT:CVE-2023-38050

HistoryJul 09, 2024 - 10:26 a.m.

CVE-2023-38050 A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} in EasyAppointments < 1.5.0

2024-07-0910:26:46

CWE-639

palo_alto

github.com

cve-2023-38050

easyappointments

bola

webhooks

unauthorized access

unauthorized data manipulation

CVSS3

9.1

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:L

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

20.1%

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

CNA Affected

[
  {
    "product": "easyappointments",
    "versions": [
      {
        "status": "affected",
        "version": "*",
        "lessThan": "1.5.0",
        "versionType": "git"
      }
    ],
    "packageName": "alextselegidis/easyappointments",
    "collectionURL": "https://github.com/alextselegidis/easyappointments",
    "defaultStatus": "unaffected"
  }
]

References

github.com/alextselegidis/easyappointments