CVE-2023-38050
📋 TL;DR
This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in Easy!Appointments webhook endpoints that allows low-privileged authenticated users to access, modify, or delete any user's webhooks, including those belonging to administrators. This affects all users of vulnerable Easy!Appointments installations and can lead to unauthorized data manipulation and privilege escalation.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easyappointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
An attacker could delete or modify all webhooks in the system, disrupting critical integrations, or create malicious webhooks that leak sensitive data to external servers controlled by the attacker.
Likely Case
Low-privileged users could access or modify webhooks belonging to other users, potentially disrupting integrations or accessing sensitive information transmitted through webhooks.
If Mitigated
With proper authorization checks, users can only access their own webhooks, preventing unauthorized data access or manipulation.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward - an attacker simply needs to manipulate webhook IDs in API requests to target other users' webhooks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check the latest version on GitHub repository
Vendor Advisory: https://github.com/alextselegidis/easyappointments
Restart Required: Yes
Instructions:
1. Backup your current installation and database. 2. Download the latest version from the official GitHub repository. 3. Replace the vulnerable files with the patched version. 4. Restart the web server. 5. Verify the fix by testing webhook authorization.
🔧 Temporary Workarounds
Implement custom authorization middleware
allAdd server-side authorization checks to verify users can only access their own webhooks
Implement authorization logic in webhook controller methods to check if current user ID matches webhook owner ID
Disable webhook functionality
allTemporarily disable webhook endpoints if not critically needed
Comment out or remove webhook routes in your application configuration
🧯 If You Can't Patch
- Implement network segmentation to restrict access to the application to trusted users only
- Enable detailed logging of all webhook operations and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Test if a low-privileged user can access, modify, or delete webhooks belonging to other users by manipulating the webhook ID parameter in API requests to /webhooks/{webhookId} endpoints.Check Version:
Check the application version in the admin panel or review the application's version fileVerify Fix Applied:
After patching, verify that users can only access their own webhooks and receive proper authorization errors when attempting to access others' webhooks.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts on webhook endpoints
- Webhook operations from low-privileged users targeting webhook IDs not belonging to them
- Unexpected webhook modifications or deletions
Network Indicators:
- Unusual patterns of GET/PUT/DELETE requests to /webhooks/{webhookId} endpoints
- Requests to webhook endpoints with sequential or random webhook IDs
SIEM Query:
source="web_app_logs" AND (uri_path="/webhooks/*" OR uri_path="/api/webhooks/*") AND (user_role="low_privilege" OR user_role="user") AND (response_code=200 OR response_code=204) AND webhook_owner != current_user