An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
The issue concerns the index.php file, which allows unauthorized privilege escalation (CWE-269 — improper privilege management). An attacker can remotely, without authentication and without user interaction, make an appropriate request to the application and obtain a higher access level than they should have. The detailed technical mechanism has not been disclosed in the available description.
An attacker can obtain elevated privileges in the EasyAppointments application, which may lead to complete system takeover, data disclosure, data modification, or service unavailability.
Patches available from the vendor should be applied according to references. It is recommended to update to the latest available version of EasyAppointments and restrict access to the application only to trusted networks or users until the patch is deployed.
Alex Tselegidis EasyAppointments v.1.5.0
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HEasyappointments
APPEasyappointments1.5.0
Related vulnerabilities
BOLA w EasyAppointments — nieuprawniony dostęp do wizyt innych użytkowników
BOLA w EasyAppointments — nieautoryzowany dostęp do webhooków innych użytkowników
BOLA w Easy!Appointments — nieautoryzowany dostęp do kont dostawców
BOLA w Easy!Appointments — privilege escalation do administratora
BOLA w Easy!Appointments — nieuprawniony dostęp do danych sekretarek