CVE-2023-2105

Name of the Vulnerable Software and Affected Versions alextselegidis/easyappointments versions prior to 1.5.0

Description The issue concerns a session fixation problem where the application fails to generate a new ea session cookie after user authentication. This allows a malicious user to create and inject a session cookie value into a victim's session. Once the victim logs in, the injected cookie becomes valid, granting the attacker access to the user's account. If targeted against an admin user, this could lead to privilege escalation without the admin's knowledge.

Recommendations For versions prior to 1.5.0, update to version 1.5.0 or later, which includes the patch for this issue, as committed in 7f37350fab9d729a9350d96369ff0f453cf7b840.