Improper Access Control which allows one provider to view and edit others provider appointment's details in alextselegidis/easyappointments


Reported on

Mar 24th 2023


Login using one provider's credential. After login successfully, notice there is POST request to /index.php/backend_api/ajax_get_calendar_appointments which allows the provider to view their own appointments information. However, by changing the record_id parameter to any number (start from 1 depend on how many services you have) and filter_type=service with one month range of start_date and end_date in the POST request, the provider is able to view and edit others provider appointments details which they shouldn't be allow to (basically the provider now has gain the secretary privilege at the Calendar page). Furthermore, the appointments details contains sensitive information such as the others provider and customer details. Following is the sample HTTP request parameter I send using the provider account to retrieve all the others provider's appointment details on the first service.



This vulnerability impact the data confidentiality and integrity as it allows one provider to view and edit others provider's appointments.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago
hacker1984 modified the report
2 months ago
hacker1984 modified the report
2 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 2 months ago
Alex Tselegidis validated this vulnerability a month ago
hacker1984 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 75b247 a month ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability a month ago
a month ago


Hi, as I understood you will be filling the CVE for this vulnerability, since our company is one of the CNA, would you be able to file with us instead? If you decided to file by your own, would you mind to include our company advisory as part of the CVE reference? Thanks.

to join this conversation