Primary

Context

EasyAppointments Privilege Escalation Vulnerability

Vulnerability

A privilege escalation vulnerability has been identified in EasyAppointments version 1.5.0. The issue allows remote attackers to escalate privileges through the index.php file.

Impact

Exploitation of this vulnerability allows for unauthorized privilege escalation, potentially leading to unauthorized access or actions within the application.

Reproduction

The vulnerability can be reproduced by brute-forcing the admin login endpoint '/index.php/login/validate'. Although the application has a default rate limit that can be bypassed by waiting a few seconds after every eight failed password attempts, this method allows for a significant number of password attempts within a 24-hour period.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

6.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

5.0

exploitability

6.4

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

EasyAppointments Privilege Escalation Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

Alex Tselegidis EasyAppointments

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating