8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-23622

CVE-2026-23622: CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-23622

CVE-2026-23622:

8.7

CVSS Score

4.0

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
alextselegidis/easyappointments	composer	<= 1.5.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists because the core CSRF protection mechanism in EA_Security::csrf_verify is only applied to POST requests. This means any sensitive, state-changing action that accepts parameters via a GET request is vulnerable to a CSRF attack. An attacker can trick a logged-in administrator into visiting a malicious webpage, which then makes a GET request to the vulnerable application endpoint, performing actions on the attacker's behalf.

The provided patch addresses this by implementing a 'controller hardening' strategy. It introduces a new helper function, method(), which strictly enforces the expected HTTP method (e.g., 'POST') for controller actions that modify data. This change is applied across numerous controllers, including those for managing admins, appointments, customers, and system settings. By ensuring these actions only respond to POST requests, the application forces them through the existing CSRF protection, effectively mitigating the vulnerability. The functions listed were all patched to enforce the POST method, indicating they were previously vulnerable to this CSRF bypass.

Vulnerable functions

EA_Security.csrf_verify

application/core/EA_Security.php

This function is the root cause of the vulnerability. It only performs CSRF validation for POST requests, and bypasses it for all other HTTP methods, such as GET. This allows CSRF attacks on any state-changing endpoint that accepts GET requests.

Admins.store

application/controllers/Admins.php

This function, responsible for creating new admin accounts, was vulnerable to CSRF. Because it did not enforce the request method, an attacker could trigger it with a GET request, bypassing the CSRF protection. The patch mitigates this by adding a `method('post')` check, ensuring only POST requests are accepted.

Admins.update

application/controllers/Admins.php

This function, which updates admin user information, was vulnerable to CSRF. An attacker could use a GET request to change an admin's details, including their email, potentially leading to account takeover. The patch enforces that this action can only be performed via a POST request.

Account.save

application/controllers/Account.php

This function for saving user account settings was vulnerable to CSRF. It could be triggered via a GET request, allowing an attacker to modify a user's account details. The fix involves adding a `method('post')` check.

Admins.destroy

application/controllers/Admins.php

This function for deleting admin accounts was vulnerable to CSRF via GET requests. The patch ensures it only accepts POST requests.

Appointments.store

application/controllers/Appointments.php

This function for creating appointments was vulnerable to CSRF via GET requests. The patch ensures it only accepts POST requests.

Appointments.update

application/controllers/Appointments.php

This function for updating appointments was vulnerable to CSRF via GET requests. The patch ensures it only accepts POST requests.

Customers.store

application/controllers/Customers.php

This function for creating customers was vulnerable to CSRF via GET requests. The patch ensures it only accepts POST requests.

Customers.update

application/controllers/Customers.php

This function for updating customers was vulnerable to CSRF via GET requests. The patch ensures it only accepts POST requests.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.7

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-23622: CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

CVE-2026-23622:

8.7

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

CVE-2026-23622: CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover

Technical Details

8.7

8.7

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI