CVE-2023-38054
📋 TL;DR
This CVE describes a Broken Object Level Authorization (BOLA) vulnerability in Easy!Appointments where low-privileged users can access, modify, or delete other users' data by manipulating customer IDs in API endpoints. This affects all deployments of Easy!Appointments with user accounts, allowing unauthorized data access and manipulation.
💻 Affected Systems
- Easy!Appointments
📦 What is this software?
Easyappointments by Easyappointments
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of all customer data including personal information, appointment details, and ability to delete or modify all customer records, potentially leading to data destruction, privacy violations, and service disruption.
Likely Case
Unauthorized access to other users' personal information and appointment data, with potential for data modification or deletion affecting multiple customers.
If Mitigated
Limited impact with proper authorization checks preventing unauthorized access, maintaining data isolation between users.
🎯 Exploit Status
Exploitation requires authenticated access but with low privileges. Attackers can manipulate customer ID parameters in API requests to access other users' data.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check GitHub repository for latest patched version
Vendor Advisory: https://github.com/alextselegidis/easyappointments
Restart Required: No
Instructions:
1. Update to the latest version of Easy!Appointments from the official GitHub repository. 2. Replace all existing files with the updated version. 3. Verify the update completed successfully.
🔧 Temporary Workarounds
API Endpoint Restriction
allImplement additional authorization checks at the application level to verify user permissions before processing customer ID requests
Web Application Firewall Rules
allConfigure WAF to detect and block suspicious patterns of customer ID manipulation in API requests
🧯 If You Can't Patch
- Implement strict access controls and audit logging for all customer management endpoints
- Deploy network segmentation to isolate the application and limit access to authorized users only
🔍 How to Verify
Check if Vulnerable:
Test if authenticated low-privileged user can access/modify/delete other users' data by manipulating customer ID parameters in GET, PUT, DELETE /customers/{customerId} endpointsCheck Version:
Check the application version in the admin panel or review the source code version tagsVerify Fix Applied:
After patching, verify that low-privileged users can only access their own customer data and cannot manipulate other users' data through ID parameter manipulation📡 Detection & Monitoring
Log Indicators:
- Multiple failed authorization attempts for customer endpoints
- Unusual patterns of customer ID access across different user sessions
- Customer data modification requests from users not associated with those customer IDs
Network Indicators:
- Unusual API call patterns to customer endpoints with sequential or random customer IDs
- High volume of PUT/DELETE requests to customer endpoints
SIEM Query:
source="easyappointments" AND (uri_path="/customers/*" AND (http_method="GET" OR http_method="PUT" OR http_method="DELETE")) | stats count by src_ip, user_id, customer_id