Lucene search

Palo_altoVULNRICHMENT:CVE-2023-38051

HistoryJul 09, 2024 - 10:27 a.m.

CVE-2023-38051 A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} in EasyAppointments < 1.5.0

2024-07-0910:27:20

CWE-639

palo_alto

github.com

bola vulnerability

easyappointments

unauthorized access manipulation

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

20.1%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.

ADP Affected

[
  {
    "cpes": [
      "cpe:2.3:a:easyappointments:easyappointments:1.5.0:*:*:*:*:*:*:*"
    ],
    "vendor": "easyappointments",
    "product": "easyappointments",
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "1.5.0",
        "versionType": "custom"
      }
    ],
    "defaultStatus": "unknown"
  }
]

References

github.com/alextselegidis/easyappointments

CVSS3

9.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

AI Score

6.6

Confidence

Low

EPSS

0.001

Percentile

20.1%

SSVC

Exploitation

none

Automatable

Technical Impact

total

JSON

Related for VULNRICHMENT:CVE-2023-38051