A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
The vulnerability affects API endpoints GET, PUT, and DELETE under the path /admins/{adminId}. An authenticated user with low privileges can send HTTP requests to these endpoints by specifying an administrator account identifier (adminId). The application does not properly verify whether the requesting user has access rights to the specified resource, which is a classic case of CWE-639 (Authorization Bypass Through User-Controlled Key).
An attacker with basic system access can read administrator account data, modify their settings, or completely delete accounts, leading to unauthorized access and data manipulation of highly privileged users.
Apply patches available from the vendor according to the references. Temporarily, it is recommended to restrict API access exclusively to trusted networks and monitor requests directed to the /admins/{adminId} endpoints.
Easy!Appointments application (alextselegidis/easyappointments) — versions indicated in the vendor's references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników