CVE-2023-3289
📋 TL;DR
This Broken Object Level Authorization (BOLA) vulnerability allows low-privileged users to create services for any user in the system, including administrators. This enables unauthorized data manipulation and privilege escalation. All users of vulnerable Easy!Appointments installations are affected.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easyappointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
An attacker could create malicious services for admin users, potentially gaining administrative privileges, manipulating all appointment data, or disrupting the entire scheduling system.
Likely Case
Low-privileged users create unauthorized services for other users, leading to data integrity issues, unauthorized access to appointment information, and potential service disruption.
If Mitigated
With proper authorization checks, users can only create services for themselves or within their authorized scope, preventing unauthorized data manipulation.
🎯 Exploit Status
Requires authenticated low-privileged user access. Simple HTTP POST request manipulation can exploit this vulnerability.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check latest Easy!Appointments release
Vendor Advisory: https://github.com/alextselegidis/easyappointments
Restart Required: No
Instructions:
1. Update to the latest version of Easy!Appointments. 2. Apply the authorization fix for the POST /services endpoint. 3. Verify the fix by testing service creation with different user privileges.
🔧 Temporary Workarounds
Temporary Authorization Check
allAdd server-side authorization validation to ensure users can only create services for themselves
Modify the POST /services endpoint to validate user_id parameter matches current authenticated user
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block unauthorized POST requests to /services endpoint
- Disable low-privileged user accounts or restrict their access to service creation functionality
🔍 How to Verify
Check if Vulnerable:
Attempt to create a service for another user via POST /services while authenticated as a low-privileged userCheck Version:
Check Easy!Appointments version in admin panel or configuration filesVerify Fix Applied:
Test that low-privileged users can only create services for themselves, not for other users📡 Detection & Monitoring
Log Indicators:
- Multiple POST requests to /services endpoint with different user_id parameters from same source
- Service creation logs showing mismatched user IDs
Network Indicators:
- Unusual patterns of POST requests to /services endpoint
- Requests with manipulated user_id parameters
SIEM Query:
source="web_server" AND method="POST" AND uri="/services" AND user_id != current_user