Another day, another threat to your data. The recently discovered CVE-2022-0482 is a Broken Access Control vulnerability affecting Easy Appointments, a popular open-source web app written in PHP, used by thousands of sites to manage their online bookings.
The vulnerability allows unauthenticated actors, to access private users’ data stored in the target system, due to a pitfall in the API permissions check.
The vulnerability was discovered and responsibly reported by Francesco Carlucci on 30th Jan 2022, and fixed by Easy Appointments development team on 8 March 2022.Easy Appointments is now secured, so the best way to be protected is to update the software to the last stable version. Alternatively, a patch file is available for download as well – https://github.com/alextselegidis/easyappointments/blob/master/patch.php – and deploys a fix valid for any previous version.
Yet another time, a new security threat reminds us how important is to keep all the software updated and to monitor the security releases for 3rd party libraries we rely on.
You can read the full write up and the technical details for this vulnerability on: https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
About the author: Francesco Carlucci (f.carlucci@opencirt.comopencirt.com)
Cybersecurity researcher and Founder OpenCIRT OÜ
Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit: https://docs.google.com/forms/d/e/1FAIpQLSfxxrxICiMZ9QM9iiPuMQIC-IoM-NpQMOsFZnJXrBQRYJGCOw/viewform
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, Easy Appointments)
[adrotate banner=”5″]
[adrotate banner=”13″]
Cisco warns customers of password-spraying attacks that have been targeting Remote Access VPN (RAVPN) services…
Hot Topic suffered credential stuffing attacks that exposed customers' personal information and partial payment data.…
Cisco addressed multiple vulnerabilities in IOS and IOS XE software that can be exploited to…
Google's Threat Analysis Group (TAG) and Mandiant reported a surge in the number of actively…
Google addressed two zero-day vulnerabilities in the Chrome web browser that have been demonstrated during…
The INC Ransom extortion group hacked the National Health Service (NHS) of Scotland and is threatening…
This website uses cookies.