CVE-2022-1397

Name of the Vulnerable Software and Affected Versions easyappointments versions prior to 1.5.0

Description The issue concerns an API privilege escalation in the easyappointments GitHub repository. It allows a low-privileged user, such as a provider, to create a new admin user via the "/api/v1/admins/" endpoint, potentially leading to full system takeover. This is due to the API authorization checking the user's existence without validating their permissions.

Recommendations For versions prior to 1.5.0, update to version 1.5.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/api/v1/admins/" endpoint to prevent unauthorized creation of admin users. Additionally, review user permissions and validate them properly to prevent privilege escalation.