A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.
The vulnerability affects API endpoints: GET, PUT and DELETE /customers/{customerId}. A logged-in user with low privileges can manipulate the customerId parameter value in an HTTP request, thereby gaining access to resources belonging to other users. The application does not verify whether the requesting user is the owner of the specified resource, which is a classic manifestation of CWE-639 error (Authorization Bypass Through User-Controlled Key). An attacker can thus retrieve, overwrite, or permanently delete data of any customer registered in the system.
An attacker can gain unauthorized access to customers' personal data, modify this data, or permanently delete it, leading to violations of confidentiality, integrity, and availability of data stored in the system.
Security patches available from the vendor should be applied according to references. It is also recommended to implement object-level authorization verification for all API endpoints operating on user resources.
Easy!Appointments application (easyappointments by alextselegidis) — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:HEasyappointments
APPEasyappointments< 1.5.0
Related vulnerabilities
EasyAppointments v.1.5.0 — privilege escalation przez index.php
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników