Default account creation on all installation methods in alextselegidis/easyappointments

Valid

Reported on

Feb 6th 2023

Description

The credentials of the administrator user (console installation) are set by default. Additionally in both the console installation and the gui installation a janedoe account is created with default credentials.

Impact

An attacker could exploit this vulnerability by remotely Logging in into an affected system by using the Default Credentials.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago

We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back a month ago

Alex Tselegidis

commented 22 days ago

Maintainer

Hello!

Thanks for submitting this.

I've updated the seeders to provide custom passwords wherever there is no UI input for them.

Alex Tselegidis validated this vulnerability 22 days ago

pedrojosenavasperez has been awarded the disclosure bounty

The fix bounty is now up for grabs

The researcher's credibility has increased: +7

Alex Tselegidis marked this as fixed in 1.5.0 with commit 2731d2 14 days ago

Alex Tselegidis has been awarded the fix bounty

This vulnerability has been assigned a CVE

Alex Tselegidis published this vulnerability 14 days ago

to join this conversation