Severity by source
AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Any normal provider account can exploit this with a simple parameter substitution (AC:L, PR:L); impact is integrity-only - no confidentiality or availability loss described.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Easy!Appointments is a self hosted appointment scheduler. Versions prior to 1.6.0 correctly filter provider-scoped appointments in the appointments/search response, proving that provider isolation is an intended security boundary. However, the direct mutation endpoints appointments/store and appointments/update only check generic appointment privileges and never verify that the submitted id_users_provider belongs to the current session. A normal authenticated provider can inject new appointments into another provider's schedule via store, or reassign existing appointments into a foreign provider's calendar via update. The store path contains an additional write-before-crash bug: the unauthorized row is committed to the database before the controller crashes on a type error, so the attacker receives an error response while the foreign appointment is already persisted. Version 1.6.0 patches the issue.
AnalysisAI
Horizontal privilege escalation in Easy!Appointments prior to 1.6.0 permits any authenticated provider to inject appointments into a peer provider's calendar or reassign existing appointments across provider boundaries by supplying an arbitrary id_users_provider value to the store and update API endpoints. The asymmetry is stark: the search endpoint correctly enforces provider-scoped filtering, confirming the isolation boundary was intentionally designed - making this an incomplete implementation rather than a missing feature. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated provider-role account within the target Easy!Appointments instance - unauthenticated external attackers cannot exploit this directly. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The assigned CVSS 3.1 score of 3.3 (AV:N/AC:H/PR:H) materially underestimates exploitability. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker holding a valid Easy!Appointments provider account enumerates the numeric IDs of peer providers (discoverable via scheduling UI or API), then posts a crafted JSON body to `/appointments/store` with a substituted `id_users_provider` referencing the target. The database commits the unauthorized appointment row before the controller crashes, so the victim provider's calendar is modified while the attacker receives only an HTTP error - making the attack look like a failed request in access logs. … |
| Remediation | Upgrade to Easy!Appointments version 1.6.0, which patches the provider authorization bypass per the vendor security advisory at https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-w8xc-8g92-v77h; the fix is tracked in commit 4abb10545d83ac1a57d03f6502376ee67696ee7c. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Easyappointments
View allAn issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php f
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated critical severi
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments p
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS 8.8), th
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated high severity (CVSS
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbit
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium severity (CVSS
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated medium se
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Ra
Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Rated low severity (CVSS 3.8), this
Broken object-level authorization in Easy!Appointments 1.5.2 lets any authenticated user query the customers search endp
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43720