Easyappointments: Security Vulnerabilities
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.
CVSS Score
8.7
EPSS Score
0.0
Published
2026-01-15
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
CVSS Score
8.1
EPSS Score
0.0
Published
2025-08-25
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
CVSS Score
7.5
EPSS Score
0.005
Published
2025-05-07
Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2.
CVSS Score
4.3
EPSS Score
0.001
Published
2025-04-01
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
CVSS Score
6.1
EPSS Score
0.002
Published
2025-02-12
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
CVSS Score
9.8
EPSS Score
0.011
Published
2025-02-12
A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.
CVSS Score
9.6
EPSS Score
0.002
Published
2024-07-09
A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
CVSS Score
7.7
EPSS Score
0.002
Published
2024-07-09
A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
CVSS Score
9.9
EPSS Score
0.002
Published
2024-07-09
A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
CVSS Score
8.5
EPSS Score
0.002
Published
2024-07-09
Page 1