CRITICAL🇵🇱 Wersja polska

CVE-2023-38049

CVSS 9.9v3.1pub. 2024-07-09upd. 2024-11-21

A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

🤖 AI Analysis
How it works

The vulnerability consists of improper authorization verification at the object level in API endpoints: GET, PUT, and DELETE /appointments/{appointmentId}. An authenticated user with low privileges can substitute any appointment identifier (appointmentId) in the request and gain access to a resource belonging to another user. The application does not verify whether the logged-in user is the owner of the specified resource, allowing data manipulation beyond their authorization scope.

Impact

Attackers can read confidential data from any appointment, modify its content, or delete it entirely — this also applies to administrative appointments. This leads to unauthorized access to data and its unauthorized manipulation.

Mitigation & patch

Apply patches available from the vendor according to references. The project repository is available at: https://github.com/alextselegidis/easyappointments

Who is affected

EasyAppointments application (alextselegidis/easyappointments) — specific versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-57602CRITICAL9.8PL ✓ten sam produkt

EasyAppointments v.1.5.0 — privilege escalation przez index.php

CVE-2023-38051CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek

CVE-2023-38048CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników