CRITICAL🇵🇱 Wersja polska

CVE-2023-38054

CVSS 9.9v3.1pub. 2024-07-09upd. 2024-11-21

A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.

🤖 AI Analysis
How it works

The vulnerability affects API endpoints: GET, PUT and DELETE /customers/{customerId}. A logged-in user with low privileges can manipulate the customerId parameter value in an HTTP request, thereby gaining access to resources belonging to other users. The application does not verify whether the requesting user is the owner of the specified resource, which is a classic manifestation of CWE-639 error (Authorization Bypass Through User-Controlled Key). An attacker can thus retrieve, overwrite, or permanently delete data of any customer registered in the system.

Impact

An attacker can gain unauthorized access to customers' personal data, modify this data, or permanently delete it, leading to violations of confidentiality, integrity, and availability of data stored in the system.

Mitigation & patch

Security patches available from the vendor should be applied according to references. It is also recommended to implement object-level authorization verification for all API endpoints operating on user resources.

Who is affected

Easy!Appointments application (easyappointments by alextselegidis) — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    < 1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2024-57602CRITICAL9.8PL ✓ten sam produkt

EasyAppointments v.1.5.0 — privilege escalation przez index.php

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników

CVE-2023-38048CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38049CRITICAL9.9PL ✓ten sam produkt

BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników