Securing Easy Appointments and earning CVE-2022-0482

2 years ago 121
BOOK THIS SPACE FOR AD
ARTICLE AD

Easy Appointments contained a very dangerous Broken Access Control vulnerability tracked as CVE-2022-0482 that was exposing PII.

Another day, another threat to your data. The recently discovered CVE-2022-0482 is a Broken Access Control vulnerability affecting Easy Appointments, a popular open-source web app written in PHP, used by thousands of sites to manage their online bookings.

The vulnerability allows unauthenticated actors, to access private users’ data stored in the target system, due to a pitfall in the API permissions check.

The vulnerability was discovered and responsibly reported by Francesco Carlucci on 30th Jan 2022, and fixed by Easy Appointments development team on 8 March 2022.Easy Appointments is now secured, so the best way to be protected is to update the software to the last stable version. Alternatively, a patch file is available for download as well – https://github.com/alextselegidis/easyappointments/blob/master/patch.php – and deploys a fix valid for any previous version.

Yet another time, a new security threat reminds us how important is to keep all the software updated and to monitor the security releases for 3rd party libraries we rely on.

You can read the full write up and the technical details for this vulnerability on: https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/

About the author: Francesco Carlucci (f.carlucci@opencirt.comopencirt.com)
Cybersecurity researcher and Founder OpenCIRT OÜ

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: 
https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform  

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(SecurityAffairs – hacking, Easy Appointments)

Read Entire Article