CRITICAL🇵🇱 Wersja polska

CVE-2023-38053

CVSS 9.9v3.1pub. 2024-07-09upd. 2024-11-21

A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.

🤖 AI Analysis
How it works

The vulnerability affects the API endpoints: GET, PUT, and DELETE /settings/{settingName}, where the {settingName} parameter identifies settings of a specific user. The application does not properly verify whether the logged-in user has access rights to the resource specified in the request. As a result, an attacker with a low-privilege account can freely manipulate the resource identifier and gain access to settings of other accounts, including the administrator account.

Impact

An attacker can read, modify, or delete settings of any user in the system, including administrators, leading to unauthorized data access and unauthorized manipulation of application configuration.

Mitigation & patch

Apply patches available from the vendor according to references. It is recommended to monitor the project repository at https://github.com/alextselegidis/easyappointments for information about available updates.

Who is affected

Easy!Appointments application (alextselegidis/easyappointments) — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-57602CRITICAL9.8PL ✓ten sam produkt

EasyAppointments v.1.5.0 — privilege escalation przez index.php

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników

CVE-2023-38048CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38049CRITICAL9.9PL ✓ten sam produkt

BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników