CVE-2023-3286
📋 TL;DR
This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments system where a low-privileged user can create additional low-privileged user accounts (secretaries) without proper authorization. This allows unauthorized data manipulation and privilege escalation. Any Easy!Appointments installation with user accounts is affected.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easyappointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create multiple unauthorized accounts to manipulate appointment data, access sensitive information, or disrupt business operations through coordinated attacks.
Likely Case
Unauthorized users create fake secretary accounts to view or modify appointment data, potentially exposing customer information or disrupting scheduling.
If Mitigated
With proper authorization checks, only authorized administrators can create user accounts, preventing unauthorized access.
🎯 Exploit Status
Requires low-privileged user account but exploitation is straightforward via API calls.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub repository for latest version
Vendor Advisory: https://github.com/alextselegidis/easyappointments
Restart Required: No
Instructions:
1. Update to latest version from GitHub repository. 2. Verify authorization checks are implemented for POST /secretaries endpoint. 3. Test that only authorized users can create accounts.
🔧 Temporary Workarounds
Temporary endpoint restriction
allRestrict access to POST /secretaries endpoint to admin users only
# Configure web server or application firewall to restrict POST /secretaries
Enhanced authentication
allImplement additional authentication checks for user creation endpoints
# Add middleware to verify admin privileges before processing POST /secretaries
🧯 If You Can't Patch
- Implement network-level access controls to restrict who can access the user creation endpoints
- Enable detailed logging for all user creation attempts and monitor for unauthorized activity
🔍 How to Verify
Check if Vulnerable:
Attempt to create a secretary account using a low-privileged user account via POST /secretaries endpointCheck Version:
Check application version in admin panel or configuration filesVerify Fix Applied:
Verify that low-privileged users cannot create secretary accounts and receive proper authorization errors📡 Detection & Monitoring
Log Indicators:
- Multiple secretary account creations from non-admin users
- Failed authorization attempts on POST /secretaries
Network Indicators:
- Unusual POST requests to /secretaries endpoint from non-admin IPs
SIEM Query:
source="web_logs" AND (uri="/secretaries" AND method="POST") AND user_role!="admin"