Approved changes feed: RSS · Atom

cpe:2.3:a:alextselegidis:easyappointments:*:*:*:*:*:*:*:*

part: a version: * update: *

VendorAlextselegidis (d21aaa92-af47-5651-b0cc-18723175ff67)
ProductEasyappointments (fd172e79-0034-52a7-b5ab-f4dc31683e22)
Edition*
Language*
Software edition*
Target software*
Target hardware*
Other*
NotesImported from purl2cpe mapping

PURL mappings

PURLSourceLast updated
pkg:composer/alextselegidis/easyappointments purl2cpe 2026-06-01 10:12:41.643801
pkg:github/alextselegidis/easyappointments purl2cpe 2026-06-01 10:12:41.643803

Vulnerability references

IdentifiercpeApplicabilitySubmitteddb.gcve.eu detailsRationale
CVE:CVE-2026-23622 vulnerable 2026-06-08 07:51:15.682196 CSRF Protection Bypass: Sensitive endpoints accept GET requests, enabling admin account takeover
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
Published: 2026-01-15T19:28:58.369Z
Updated: 2026-01-15T21:34:43.098Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-3568 vulnerable 2026-06-08 06:09:39.865242 Open Redirect in alextselegidis/easyappointments
MEDIUM (6.3)
Open Redirect in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
Published: 2023-07-10T07:28:46.277Z
Updated: 2024-11-07T15:11:16.277Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-3290 vulnerable 2026-06-08 06:09:39.077486 A BOLA vulnerability in POST /customers in EasyAppointments < 1.5.0
MEDIUM (5)
A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.
Published: 2024-07-09T10:23:21.207Z
Updated: 2024-08-02T06:48:08.412Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-3285 vulnerable 2026-06-08 06:09:39.073458 A BOLA vulnerability in POST /appointments in EasyAppointments < 1.5.0
HIGH (7.7)
A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation.
Published: 2024-07-09T09:37:24.189Z
Updated: 2024-08-02T06:48:08.473Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38054 vulnerable 2026-06-08 06:08:16.824525 A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} in EasyAppointments < 1.5.0
CRITICAL (9.9)
A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.
Published: 2024-07-09T10:29:10.033Z
Updated: 2024-08-02T17:30:13.356Z
Reference links
Imported from gcve-enriched-dumps CVE data
CVE:CVE-2023-38049 vulnerable 2026-06-08 06:08:16.820691 db.gcve.eu details were skipped to keep the page responsive. Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.