Easy!appointments

easy!appointments

CVEs (34)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-23622 1Easyappointments 1Easy!appointments Apr 29, 2026 Jan 15, 2026 7.4 HIGH· v4 8.8 HIGH· v3 N/A· v2 Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several applica...Show more Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover.Show less
CVE-2025-50383 1Easyappointments 1Easy!appointments Oct 1, 2025 Aug 25, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
CVE-2025-29448 1Easyappointments 1Easy!appointments Jan 28, 2026 May 7, 2025 N/A· v4 7.5 HIGH· v3 N/A· v2 Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
CVE-2025-31828 1Easyappointments 1Easy!appointments Apr 23, 2026 Apr 1, 2025 N/A· v4 8.8 HIGH· v3 N/A· v2 Cross-Site Request Forgery (CSRF) vulnerability in alextselegidis Easy!Appointments easyappointments allows Cross Site Request Forgery.This issue affects Easy!Appointments: from n/a through <= 1.4.2.
CVE-2024-57602 1Easyappointments 1Easy!appointments Mar 18, 2025 Feb 12, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
CVE-2024-57601 1Easyappointments 1Easy!appointments Sep 29, 2025 Feb 12, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
CVE-2023-3290 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 5.0 MEDIUM· v3 N/A· v2 A BOLA vulnerability in POST /customers allows a low privileged user to create a low privileged user (customer) in the system. This results in unauthorized data manipulation.
CVE-2023-3289 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A BOLA vulnerability in POST /services allows a low privileged user to create a service for any user in the system (including admin). This results in unauthorized data manipulation.
CVE-2023-3288 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A BOLA vulnerability in POST /providers allows a low privileged user to create a privileged user (provider) in the system. This results in privilege escalation.
CVE-2023-3287 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 A BOLA vulnerability in POST /admins allows a low privileged user to create a high privileged user (admin) in the system. This results in privilege escalation.
CVE-2023-3286 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 A BOLA vulnerability in POST /secretaries allows a low privileged user to create a low privileged user (secretary) in the system. This results in unauthorized data manipulation.
CVE-2023-38055 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data...Show more A BOLA vulnerability in GET, PUT, DELETE /services/{serviceId} allows a low privileged user to fetch, modify or delete the services of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38054 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipul...Show more A BOLA vulnerability in GET, PUT, DELETE /customers/{customerId} allows a low privileged user to fetch, modify or delete a low privileged user (customer). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38053 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized da...Show more A BOLA vulnerability in GET, PUT, DELETE /settings/{settingName} allows a low privileged user to fetch, modify or delete the settings of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38052 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /admins/{adminId} allows a low privileged user to fetch, modify or delete a high privileged user (admin). This results in unauthorized access and unauthorized data manipulation.
CVE-2023-38051 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data man...Show more A BOLA vulnerability in GET, PUT, DELETE /secretaries/{secretaryId} allows a low privileged user to fetch, modify or delete a low privileged user (secretary). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38050 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data ma...Show more A BOLA vulnerability in GET, PUT, DELETE /webhooks/{webhookId} allows a low privileged user to fetch, modify or delete a webhook of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38049 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unautho...Show more A BOLA vulnerability in GET, PUT, DELETE /appointments/{appointmentId} allows a low privileged user to fetch, modify or delete an appointment of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38048 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulatio...Show more A BOLA vulnerability in GET, PUT, DELETE /providers/{providerId} allows a low privileged user to fetch, modify or delete a privileged user (provider). This results in unauthorized access and unauthorized data manipulation.Show less
CVE-2023-38047 1Easyappointments 1Easy!appointments Nov 21, 2024 Jul 9, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized d...Show more A BOLA vulnerability in GET, PUT, DELETE /categories/{categoryId} allows a low privileged user to fetch, modify or delete the category of any user (including admin). This results in unauthorized access and unauthorized data manipulation.Show less

12 Next