Faroukn

**Name of the Vulnerable Software and Affected Versions** Easy!Appointments versions 1.5.2 and earlier **Description** The application's CSRF protection in `application/core/EA Security.php::csrf verify()` only applies to POST requests, bypassing validation for other request methods like GET. Several application endpoints accept state-changing parameters via GET or `$ REQUEST`, allowing an attacker to perform Cross-Site Request Forgery (CSRF) by crafting a malicious GET request. This can lead to the creation of admin accounts, modification of admin email/password, and full admin account takeover. Vulnerable API endpoints include: ''/admins/store'', ''/admins/update'', and ''/account/save''. The vulnerable parameters include `admin[first name]`, `admin[last name]`, `admin[email]`, `admin[mobile number]`, `admin[phone number]`, `admin[address]`, `admin[city]`, `admin[state]`, `admin[zip code]`, `admin[notes]`, `admin[language]`, `admin[timezone]`, `admin[settings][username]`, `admin[settings][notifications]`, `admin[settings][calendar view]`, `admin[settings][password]`, and `admin[id]`. **Recommendations** Versions prior to 1.5.2: Enforce CSRF checks for all request methods, or require a valid CSRF token for all methods unless the URI is explicitly whitelisted. As a long-term solution, update controllers to accept only the proper HTTP method (POST/PUT/DELETE) for state-changing actions. Consider requiring re-authentication or confirmation for critical operations like email/password changes.