CRITICAL🇵🇱 Wersja polska

CVE-2023-38048

CVSS 9.9v3.1pub. 2024-07-09upd. 2024-11-21

A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.

🤖 AI Analysis
How it works

An attacker logged in as a low-privileged user can send HTTP GET, PUT, or DELETE requests to the /providers/{providerId} API endpoints by specifying the identifier of any provider. The application does not properly verify whether the requesting user has the right to perform operations on the specified resource. As a result, it is possible to retrieve account data, modify it, or completely delete a privileged provider's account without appropriate permissions.

Impact

An attacker can gain unauthorized access to other users' data and manipulate or delete provider accounts, leading to violations of data confidentiality, integrity, and availability in the system.

Mitigation & patch

Patches available from the manufacturer should be applied according to references (GitHub repository: https://github.com/alextselegidis/easyappointments). Additionally, it is recommended to implement authorization validation at the object level for all API endpoints operating on user resources.

Who is affected

Easy!Appointments application (alextselegidis/easyappointments) — versions indicated in manufacturer references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-57602CRITICAL9.8PL ✓ten sam produkt

EasyAppointments v.1.5.0 — privilege escalation przez index.php

CVE-2023-38051CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek

CVE-2023-38049CRITICAL9.9PL ✓ten sam produkt

BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników