PT-2026-58067 · Unknown · Easyappointments
CVE-2026-52839
·
Published
2026-07-14
·
Updated
2026-07-14
CVSS v3.1
3.3
Low
| Vector | AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Easy!Appointments versions prior to 1.6.0
Description
An issue exists where the application fails to verify if the
id users provider submitted to specific endpoints belongs to the current session. While provider isolation is maintained in search responses, the mutation endpoints 'appointments/store' and 'appointments/update' only check for generic privileges. This allows an authenticated provider to inject new appointments into another provider's schedule or reassign existing appointments to a different provider's calendar. Additionally, the 'appointments/store' endpoint contains a write-before-crash bug where unauthorized data is committed to the database before a type error causes the controller to crash, resulting in the data being persisted despite the user receiving an error response.Recommendations
Update to version 1.6.0.
Restrict the use of the
id users provider variable in the 'appointments/store' and 'appointments/update' endpoints until the update is applied.Exploit
Fix
Missing Authorization
IDOR
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Easyappointments