A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.
An attacker logged in as a low-privileged user can send HTTP GET, PUT, or DELETE requests to the /providers/{providerId} API endpoints by specifying the identifier of any provider. The application does not properly verify whether the requesting user has the right to perform operations on the specified resource. As a result, it is possible to retrieve account data, modify it, or completely delete a privileged provider's account without appropriate permissions.
An attacker can gain unauthorized access to other users' data and manipulate or delete provider accounts, leading to violations of data confidentiality, integrity, and availability in the system.
Patches available from the manufacturer should be applied according to references (GitHub repository: https://github.com/alextselegidis/easyappointments). Additionally, it is recommended to implement authorization validation at the object level for all API endpoints operating on user resources.
Easy!Appointments application (alextselegidis/easyappointments) — versions indicated in manufacturer references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników