A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
The vulnerability consists of improper authorization verification at the object level in API endpoints: GET, PUT, and DELETE /appointments/{appointmentId}. An authenticated user with low privileges can substitute any appointment identifier (appointmentId) in the request and gain access to a resource belonging to another user. The application does not verify whether the logged-in user is the owner of the specified resource, allowing data manipulation beyond their authorization scope.
Attackers can read confidential data from any appointment, modify its content, or delete it entirely — this also applies to administrative appointments. This leads to unauthorized access to data and its unauthorized manipulation.
Apply patches available from the vendor according to references. The project repository is available at: https://github.com/alextselegidis/easyappointments
EasyAppointments application (alextselegidis/easyappointments) — specific versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników