CVE-2022-0482
published 2022-03-09CVE-2022-0482: Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
PriorityP183critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
38.13%
98.4th percentile
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| alextselegidis | alextselegidis_easyappointments | >= unspecified < 1.4.3 | 1.4.3 |
| alextselegidis | easyappointments | >= 0 < 1.4.3 | 1.4.3 |
| easyappointments | easyappointments | < 1.4.3 | 1.4.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to the vulnerable endpoint /index.php/backend_api/ajax_get_calendar_events; a successful exploit response will contain both '"appointments":' and '"unavailables":' in the body with HTTP 200. ↗
- →The exploit first performs a GET to /index.php to harvest the csrfCookie value from the response headers, then replays it as csrfToken in the POST body — monitor for this two-step unauthenticated sequence. ↗
- →The csrfToken parameter value is extracted from the Set-Cookie / response header key 'csrfCookie'; look for POST requests to the calendar events API where the csrfToken matches a cookie value obtained in a prior unauthenticated GET. ↗
- ·The vulnerability affects Easy!Appointments versions prior to 1.4.3; version 1.4.3 and above are not vulnerable. Ensure the target version is confirmed before acting on detections. ↗
- ·The exploit requires no authentication (PR:N) and no user interaction (UI:N), meaning any network-accessible instance is at risk without additional access controls. ↗
CVSS provenance
nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv3.09.1CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
nvdv2.06.4MEDIUMAV:N/AC:L/Au:N/C:P/I:P/A:N
vulncheck9.1CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
osv·2022-03-10
CVE-2022-0482 [CRITICAL] Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: /index.php/backend_api/ajax_get_calendar_events Unfortunately, there is no authentication / permissions-check on that endpoint, the only required parameters in a POST request are "startDate", "endDate" and "csrfToken". Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query t
GHSA
Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
ghsa·2022-03-10
CVE-2022-0482 [CRITICAL] CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments
The software is a booking management system that has a public form to place bookings, and a private area for the calendar and management of services, users, settings, etc. There is a backend API that allows data manipulation, including listing the appointments for a specific time range. This happens on this endpoint: /index.php/backend_api/ajax_get_calendar_events Unfortunately, there is no authentication / permissions-check on that endpoint, the only required parameters in a POST request are "startDate", "endDate" and "csrfToken". Because the csrfToken can be obtained by any unauthenticated user just visiting the public form (and is valid for the backend as well), any attacker can query t
VulnCheck
easyappointments easyappointments Exposure of Private Personal Information to an Unauthorized Actor
vulncheck·2022·CVSS 9.1
CVE-2022-0482 [CRITICAL] easyappointments easyappointments Exposure of Private Personal Information to an Unauthorized Actor
easyappointments easyappointments Exposure of Private Personal Information to an Unauthorized Actor
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.
Affected: easyappointments easyappointments
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-11-17&host_type=src&vulnerability=cve-2022-0482; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-06&host_type=src&vulnerability=cve-2022-0482; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map
No detection rules found.
Exploit-DB
Easy Appointments 1.4.2 - Information Disclosure
exploitdb·2022-04-19·CVSS 9.1
CVE-2022-0482 [CRITICAL] Easy Appointments 1.4.2 - Information Disclosure
Easy Appointments 1.4.2 - Information Disclosure
---
# Exploit Title: Easy Appointments 1.4.2 - Information Disclosure
# Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
# Author website: https://pwn.by/noraj/
# Exploit source: https://github.com/Acceis/exploit-CVE-2022-0482
# Date: 2022-04-11
# Vendor Homepage: https://easyappointments.org/
# Software Link: https://github.com/alextselegidis/easyappointments/archive/refs/tags/1.4.2.tar.gz
# Version: [ ] [--debug]
#{__FILE__} -h | --help
Options:
Root URL (base path) including HTTP scheme, port and root folder
All events since (default: 2015-01-11)
All events until (default: today)
--debug Display arguments
-h, --help Show this screen
Examples:
#{__FILE__} http://10.0.0.1
#{__FILE__} https://10.0.0.1:4567/subdi
Nuclei
Easy!Appointments <1.4.3 - Broken Access Control
nuclei·CVSS 9.1
CVE-2022-0482 [CRITICAL] Easy!Appointments <1.4.3 - Broken Access Control
Easy!Appointments <1.4.3 - Broken Access Control
Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments.
Template:
id: CVE-2022-0482
info:
name: Easy!Appointments <1.4.3 - Broken Access Control
author: francescocarlucci,opencirt
severity: critical
description: |
Easy!Appointments prior to 1.4.3 allows exposure of Private Personal Information to an unauthorized actor via the GitHub repository alextselegidis/easyappointments.
impact: |
An attacker can exploit this vulnerability to gain unauthorized access to sensitive data or perform unauthorized actions.
remediation: |
Upgrade Easy!Appointments to version 1.4.4 or above to fix the Broken Access Control vulnerability.
reference:
-
No writeups or analysis indexed.
http://packetstormsecurity.com/files/166701/Easy-Appointments-Information-Disclosure.htmlhttps://github.com/alextselegidis/easyappointments/commit/44af526a6fc5e898bc1e0132b2af9eb3a9b2c466https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/http://packetstormsecurity.com/files/166701/Easy-Appointments-Information-Disclosure.htmlhttps://github.com/alextselegidis/easyappointments/commit/44af526a6fc5e898bc1e0132b2af9eb3a9b2c466https://huntr.dev/bounties/2fe771ef-b615-45ef-9b4d-625978042e26https://opencirt.com/hacking/securing-easy-appointments-cve-2022-0482/
2022-03-09
Published
Exploited in the wild