IDOR can make attackers add or close others' unavaiable in alextselegidis/easyappointments


Reported on

Jun 5th 2023

both user1 and user2 are Providers

1 user1 login and add unavaiable

2 request can be like

POST /index.php/backend_api/ajax_save_unavailable HTTP/1.1

3 id_users_provider%22%3A%229%22%7D means id_users_provideer=9

4 we change the id as 10, i..e user2

5 send the request, then we find that user2 owns an unavailable


attacks can close and add others's unavailable

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 4 months ago
lujiefsi modified the report
4 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 3 months ago
lujiefsi modified the report
3 months ago
3 months ago


any update for this issuse?

2 months ago


any update?

Alex Tselegidis validated this vulnerability 2 months ago
lujiefsi has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit b37b46 2 months ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability 2 months ago
to join this conversation