CVE-2023-38047
📋 TL;DR
This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in the Easy!Appointments scheduling software. It allows low-privileged users to access, modify, or delete any user's appointment categories, including those belonging to administrators. All users of affected Easy!Appointments versions are impacted by this authorization bypass.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easyappointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete or modify all appointment categories, causing complete disruption of scheduling functionality and potential data loss across the entire system.
Likely Case
Malicious users could manipulate appointment categories they shouldn't have access to, leading to data integrity issues and unauthorized access to scheduling information.
If Mitigated
With proper authorization checks, users would only be able to access their own categories, preventing unauthorized data manipulation.
🎯 Exploit Status
Exploitation requires authenticated access but minimal technical skill - essentially manipulating category IDs in API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.0
Vendor Advisory: https://github.com/alextselegidis/easyappointments
Restart Required: No
Instructions:
1. Backup your current installation and database. 2. Download version 1.5.0 or later from the official repository. 3. Replace the existing files with the new version. 4. Verify the update was successful by checking the version in the admin panel.
🔧 Temporary Workarounds
Implement API Authorization Middleware
allAdd authorization checks to verify users can only access their own categories before processing GET, PUT, DELETE requests to /categories/{categoryId}
Restrict Category Management Endpoints
allTemporarily restrict access to category management endpoints to administrators only using web server configuration or application-level controls
🧯 If You Can't Patch
- Implement network segmentation to isolate the Easy!Appointments instance from untrusted networks
- Enable detailed logging for all category-related API calls and monitor for unauthorized access patterns
🔍 How to Verify
Check if Vulnerable:
Test if a low-privileged user can access, modify, or delete categories belonging to other users by manipulating category IDs in API requests to /categories/{categoryId}Check Version:
Check the version displayed in the admin panel or examine the application's version fileVerify Fix Applied:
After patching, verify that low-privileged users can only access their own categories and receive proper authorization errors when attempting to access others' categories📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts on category endpoints
- Unauthorized category modifications from non-admin users
- Category deletion events from unexpected user accounts
Network Indicators:
- Unusual patterns of GET/PUT/DELETE requests to /categories/{categoryId} endpoints
- Category ID manipulation in API requests
SIEM Query:
source="web_app_logs" AND (uri="/categories/*" OR uri="/api/categories/*") AND (user_role="user" OR user_role!="admin") AND (action="DELETE" OR action="PUT" OR action="MODIFY")