A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
An attacker with any account in the Easy!Appointments system can send a POST request to the /admins endpoint without proper authorization verification. Lack of object-level authorization control (CWE-639) causes the application to accept the request and create a new user with administrator privileges. In this way, a low-privileged user gains full control over the system.
An attacker can escalate their privileges to administrator level, granting them full access to data, configuration, and management of all users and appointments in the system.
Apply patches available from the vendor according to references (https://github.com/alextselegidis/easyappointments)
Easy!Appointments application (easyappointments/easyappointments) — versions indicated in the vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników