Nadim Zubidat

**Name of the Vulnerable Software and Affected Versions** Amelia Premium versions up to 7.7 Amelia Lite versions up to 1.2.3 **Description** The issue is related to a missing capability check on the `ameliaButtonCommand` function, allowing unauthenticated attackers to access employee calendar details. In the premium version, this also includes access to Google Calendar OAuth tokens. **Recommendations** For Amelia Premium versions up to 7.7, update to a version that includes a fix for the missing capability check on the `ameliaButtonCommand` function. For Amelia Lite versions up to 1.2.3, update to a version that includes a fix for the missing capability check on the `ameliaButtonCommand` function. As a temporary workaround, consider disabling the `ameliaButtonCommand` function until a patch is available.