CRITICAL🇵🇱 Wersja polska

CVE-2023-38051

CVSS 9.9v3.1pub. 2024-07-09upd. 2024-11-21

A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.

🤖 AI Analysis
How it works

An attacker with an account with low privilege level can send HTTP requests (GET, PUT, DELETE) to the /secretaries/{secretaryId} endpoints, specifying another user's identifier in the path. The application does not properly verify whether the requesting user has access rights to the specified resource, accepting requests concerning other accounts. This allows reading, modification, or deletion of data for any user with the secretary role.

Impact

An attacker can gain unauthorized access to personal data of other users, modify their data, or completely delete their accounts, leading to violations of confidentiality and integrity of data stored in the system.

Mitigation & patch

Patches available from the vendor should be applied according to references (https://github.com/alextselegidis/easyappointments). Additionally, it is recommended to verify that object-level access control mechanisms have been correctly implemented for all API endpoints.

Who is affected

Easy!Appointments application (Easyappointments product); specific vulnerable versions are indicated in the vendor's references on GitHub.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-57602CRITICAL9.8PL ✓ten sam produkt

EasyAppointments v.1.5.0 — privilege escalation przez index.php

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników

CVE-2023-38048CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38049CRITICAL9.9PL ✓ten sam produkt

BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników