CVE-2024-57602: 
PHP vulnerability analysis and mitigation

An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. The vulnerability (CVE-2024-57602) was discovered on December 22nd, 2024, and publicly disclosed on February 12th, 2025. The vulnerability affects the admin login functionality of EasyAppointments, a web-based appointment scheduling system, with over 3,000 affected assets (Vulnerability Report).

The vulnerability exists in the admin panel login validation endpoint [/index.php/login/validate]. While the application implements server-side rate limiting, it can be bypassed by introducing delays between authentication attempts. The exploit allows an attacker to attempt 69,120 passwords within a 24-hour period by sleeping for 10 seconds after every 8 password attempts. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (NVD).

The vulnerability allows unauthorized access to admin accounts through brute force attacks, potentially leading to complete system compromise. Successful exploitation could result in unauthorized administrative access, data breach, and system manipulation (Vulnerability Report).

While no official patch is available, several recommended mitigations include: blocking IPs after a specified number of failed attempts, implementing account lockout policies after failed authentication attempts, and setting up two-factor authentication with proper rate limiting. The software maintainer has stated that the current rate limiting mechanism is sufficient, though security researchers disagree with this assessment (Vulnerability Report).