Session Fixation Vulnerability in alextselegidis/easyappointments


Reported on

Mar 15th 2023


It was noticed that the easyappointments application is vulnerable to Session Fixation vulnerability. The application does not generate a new ea_session cookie after the user authenticate successfully into the application. A malicious user is able to create a new session cookie value and inject it to a victim. After the victim logs in, the injected cookie becomes valid, giving the attacker access to the user's account through the active session.

The vulnerability also allows privilege escalation where the current user is able to privilege escalate to admin user if they are able inject their session cookie and let admin login using the cookie. Since the application allows concurrent login, the admin user will not aware their session already been taking over.

Proof of Concept

  1. Browse to the login page and login using a normal user account.

  2. Noticed if the ea_session cookie already exist in the HTTP request header, the application will not regenerate a new one. The application will reuse the session cookie that are being set in HTTP request header.

  3. After login successfully, note down the ea_session cookie.

  4. Open a new browser and set the ea_session cookie that was being recorded previously and login using admin account.

  5. After login successfully, go back to the normal user account browser and refresh the page. Noticed the normal user now has been privilege to admin user.

  6. Now both admin account can concurrently using the application without being notified


Allows the attacker access to the victim's account. This could mean access to higher level privileges or the ability to look at sensitive data.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 2 months ago
hacker1984 modified the report
2 months ago
hacker1984 modified the report
2 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 2 months ago
2 months ago


Hi, I think it has been quite a while since the bug last reported. Have we gotten any feedback from the author yet? Thanks.

Alex Tselegidis validated this vulnerability a month ago
hacker1984 has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 7f3735 a month ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability a month ago
User.php#L122-L126 has been validated
a month ago


Hi, as I understood you will be filling the CVE for this vulnerability, since our company is one of the CNA, would you be able to file with us instead? If you decided to file by your own, would you mind to include our company advisory as part of the CVE reference? Thanks.

to join this conversation