Improper Access Control which allows one provider to view and edit others provider appointment's details in alextselegidis/easyappointments
Reported on
Mar 24th 2023
Description
Login using one provider's credential. After login successfully, notice there is POST request to /index.php/backend_api/ajax_get_calendar_appointments which allows the provider to view their own appointments information. However, by changing the record_id parameter to any number (start from 1 depend on how many services you have) and filter_type=service with one month range of start_date and end_date in the POST request, the provider is able to view and edit others provider appointments details which they shouldn't be allow to (basically the provider now has gain the secretary privilege at the Calendar page). Furthermore, the appointments details contains sensitive information such as the others provider and customer details. Following is the sample HTTP request parameter I send using the provider account to retrieve all the others provider's appointment details on the first service.
csrfToken=07fa417ef4a7e4a5e0a7ae494f5b0369&record_id=1&start_date=2023-03-19&end_date=2023-03-26&filter_type=service
Impact
This vulnerability impact the data confidentiality and integrity as it allows one provider to view and edit others provider's appointments.
Hi, as I understood you will be filling the CVE for this vulnerability, since our company is one of the CNA, would you be able to file with us instead? If you decided to file by your own, would you mind to include our company advisory as part of the CVE reference? Thanks.