CVE-2022-1397 – alextselegidis/easyappointments

Package

Manager: composer
Name: alextselegidis/easyappointments
Vulnerable Version: >=0 <=1.4.3

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.0021 pctl0.43467

Details

Privilege escalation in easyappointments The Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user (eg. provider) can create a new admin user via the "/api/v1/admins/" endpoint and take over the system. A [patch](https://github.com/alextselegidis/easyappointments/commit/63dbb51decfcc1631c398ecd6d30e3a337845526) is available on the `develop` branch of the repository.

Metadata

Created: 2022-05-11T00:01:38Z
Modified: 2022-05-25T19:31:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-7f62-4887-cfv5/GHSA-7f62-4887-cfv5.json
CWE IDs: ["CWE-269"]
Alternative ID: GHSA-7f62-4887-cfv5
Finding: F159
Auto approve: 1