Default account creation on all installation methods in alextselegidis/easyappointments


Reported on

Feb 6th 2023


The credentials of the administrator user (console installation) are set by default. Additionally in both the console installation and the gui installation a janedoe account is created with default credentials.


An attacker could exploit this vulnerability by remotely Logging in into an affected system by using the Default Credentials.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back a month ago
Alex Tselegidis
22 days ago



Thanks for submitting this.

I've updated the seeders to provide custom passwords wherever there is no UI input for them.

Alex Tselegidis validated this vulnerability 22 days ago
pedrojosenavasperez has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 2731d2 14 days ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability 14 days ago
to join this conversation