A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.
An attacker with an account with low privilege level can send HTTP requests (GET, PUT, DELETE) to the /secretaries/{secretaryId} endpoints, specifying another user's identifier in the path. The application does not properly verify whether the requesting user has access rights to the specified resource, accepting requests concerning other accounts. This allows reading, modification, or deletion of data for any user with the secretary role.
An attacker can gain unauthorized access to personal data of other users, modify their data, or completely delete their accounts, leading to violations of confidentiality and integrity of data stored in the system.
Patches available from the vendor should be applied according to references (https://github.com/alextselegidis/easyappointments). Additionally, it is recommended to verify that object-level access control mechanisms have been correctly implemented for all API endpoints.
Easy!Appointments application (Easyappointments product); specific vulnerable versions are indicated in the vendor's references on GitHub.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników