A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
The vulnerability affects the API endpoints: GET, PUT, and DELETE /settings/{settingName}, where the {settingName} parameter identifies settings of a specific user. The application does not properly verify whether the logged-in user has access rights to the resource specified in the request. As a result, an attacker with a low-privilege account can freely manipulate the resource identifier and gain access to settings of other accounts, including the administrator account.
An attacker can read, modify, or delete settings of any user in the system, including administrators, leading to unauthorized data access and unauthorized manipulation of application configuration.
Apply patches available from the vendor according to references. It is recommended to monitor the project repository at https://github.com/alextselegidis/easyappointments for information about available updates.
Easy!Appointments application (alextselegidis/easyappointments) — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników