CRITICAL🇵🇱 Wersja polska

CVE-2024-57602

CVSS 9.8v3.1pub. 2025-02-12upd. 2025-03-18

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.

🤖 AI Analysis
How it works

The issue concerns the index.php file, which allows unauthorized privilege escalation (CWE-269 — improper privilege management). An attacker can remotely, without authentication and without user interaction, make an appropriate request to the application and obtain a higher access level than they should have. The detailed technical mechanism has not been disclosed in the available description.

Impact

An attacker can obtain elevated privileges in the EasyAppointments application, which may lead to complete system takeover, data disclosure, data modification, or service unavailability.

Mitigation & patch

Patches available from the vendor should be applied according to references. It is recommended to update to the latest available version of EasyAppointments and restrict access to the application only to trusted networks or users until the patch is deployed.

Who is affected

Alex Tselegidis EasyAppointments v.1.5.0

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Easyappointments

    APP
    Easyappointments
    1.5.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
LPE
CWE
References

Related vulnerabilities

CVE-2023-38049CRITICAL9.9PL ✓ten sam produkt

BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników

CVE-2023-38050CRITICAL9.1PL ✓ten sam produkt

BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników

CVE-2023-38048CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców

CVE-2023-3287CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — privilege escalation do administratora

CVE-2023-38051CRITICAL9.9PL ✓ten sam produkt

BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek