CVE-2022-0482

Name of the Vulnerable Software and Affected Versions alextselegidis/easyappointments versions prior to 1.4.3

Description The issue concerns exposure of private personal information to an unauthorized actor due to a Broken Access Control vulnerability in the Easy Appointments plugin. This vulnerability allows unauthenticated users to access private user data stored in the target system because of an error in API permission checks. The vulnerability was discovered by security researcher Francesco Carlucci and reported to the developers. Although a fix has been released, the lack of an automatic update or notification system for Easy Appointments means many instances remain vulnerable, putting user data at risk. The vulnerability can be exploited through the /index.php/backend api/ajax get calendar events endpoint, which lacks authentication and permissions checks, requiring only startDate, endDate, and csrfToken parameters in a POST request. The csrfToken can be obtained by visiting the public form, making it accessible to any unauthenticated user.

Recommendations For versions prior to 1.4.3, update the software to version 1.4.3 or later to fix the vulnerability. As a temporary workaround, consider restricting access to the /index.php/backend api/ajax get calendar events endpoint until a patch is applied. Additionally, users can manually download the patch from GitHub and apply it to any previous version.