Another day, another threat to your data. The recently discovered CVE-2022-0482 is a Broken Access Control vulnerability affecting Easy Appointments, a popular open-source web app written in PHP, used by thousands of sites to manage their online bookings.
The vulnerability allows unauthenticated actors, to access private users’ data stored in the target system, due to a pitfall in the API permissions check.
The vulnerability was discovered and responsibly reported by Francesco Carlucci on 30th Jan 2022, and fixed by Easy Appointments development team on 8 March 2022.Easy Appointments is now secured, so the best way to be protected is to update the software to the last stable version. Alternatively, a patch file is available for download as well – https://github.com/alextselegidis/easyappointments/blob/master/patch.php – and deploys a fix valid for any previous version.
Yet another time, a new security threat reminds us how important is to keep all the software updated and to monitor the security releases for 3rd party libraries we rely on.
You can read the full write up and the technical details for this vulnerability on: https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
About the author: Francesco Carlucci ([email protected]opencirt.com)
Cybersecurity researcher and Founder OpenCIRT OÜ
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
Follow me on Twitter: @securityaffairs and Facebook
|[adrotate banner=”9″]||[adrotate banner=”12″]|
(SecurityAffairs – hacking, Easy Appointments)