CVE-2022-0482: 
PHP vulnerability analysis and mitigation

CVE-2022-0482 is a critical security vulnerability affecting Easy Appointments, an open-source booking system, prior to version 1.4.3. The vulnerability was discovered in January 2022 and disclosed in March 2022. It involves the exposure of Private Personal Information (PII) to unauthorized actors through an unprotected API endpoint, allowing attackers to access sensitive customer and service provider data without authentication (OpenCirt).

The vulnerability exists in the Backendapi.php file, specifically in the ajaxgetcalendarevents() method, where the response object was built before checking user permissions. An attacker could exploit this by obtaining a CSRF token from the application's homepage and querying the unprotected API endpoint (/index.php/backendapi/ajaxgetcalendarevents) to download appointment and user data. The vulnerability has been assigned a CVSS v3.1 base score of 9.1 (CRITICAL) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N (NVD).

The vulnerability exposed sensitive information including customers' full names, email addresses, phone numbers, physical addresses, appointment hashes that could be used to delete appointments and break data integrity, and service provider data including hashed passwords. This data could be used for identity theft, account takeovers, phishing, scamming, and other malicious purposes (OpenCirt).

The vulnerability was patched in Easy Appointments version 1.4.3, released on March 8, 2022. The fix includes proper authentication checks before accessing sensitive data. Users are strongly advised to upgrade to version 1.4.3 or later. However, due to the lack of an automatic update system, many instances may remain vulnerable (OpenCirt, GitHub).

The vulnerability was reported through the Huntr platform and was quickly acknowledged by the developer, Alex Tselegidis. The developer conducted a full security review and fixed other minor security issues alongside this vulnerability. The story was covered by The Daily Swig, highlighting the potential impact on healthcare companies using the software for COVID-19 vaccine scheduling (OpenCirt).