Miggo Logo
Miggo Vulnerability Database
CVE-2023-2104

CVE-2023-2104: alextselegidis/easyappointments Improper Access Control vulnerability

5.4

CVSS Score
3.0

Basic Information

CVE ID
CVE-2023-2104
GHSA ID
GHSA-fc4g-f42p-7rhp
EPSS Score
0.19033%
CWE
CWE-284
Published
4/15/2023
Updated
4/21/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
alextselegidis/easyappointmentscomposer<= 1.4.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability was patched by adding role-based access control checks in the get_calendar_appointments method. The commit diff shows the original implementation did not filter appointments/unavailabilities by the current user's permissions. The function returned all entries regardless of ownership, enabling cross-provider data exposure. The added code in the patch explicitly filters results based on session user ID and role (provider/secretary), confirming this was the vulnerable entry point.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*l*xts*l**i*is/**sy*ppointm*nts *.*.* *n* prior *llows on* provi**r to vi*w *n* **it ot**rs provi**rs' *ppointm*nt **t*ils. * p*t** is *v*il**l* *t *ommit **************************************** *n* *nti*ip*t** to ** p*rt o* v*rsion *.*.*.

Reasoning

T** vuln*r**ility w*s p*t**** *y ***in* rol*-**s** ****ss *ontrol ****ks in t** **t_**l*n**r_*ppointm*nts m*t*o*. T** *ommit *i** s*ows t** ori*in*l impl*m*nt*tion *i* not *ilt*r *ppointm*nts/un*v*il**iliti*s *y t** *urr*nt us*r's p*rmissions. T** *u