Description

Login using one provider’s credential. After login successfully, notice there is POST request to /index.php/backend_api/ajax_get_calendar_appointments which allows the provider to view their own appointments information. However, by changing the record_id parameter to any number (start from 1 depend on how many services you have) and filter_type=service with one month range of start_date and end_date in the POST request, the provider is able to view and edit others provider appointments details which they shouldn’t be allow to (basically the provider now has gain the secretary privilege at the Calendar page). Furthermore, the appointments details contains sensitive information such as the others provider and customer details.
Following is the sample HTTP request parameter I send using the provider account to retrieve all the others provider’s appointment details on the first service.

csrfToken=07fa417ef4a7e4a5e0a7ae494f5b0369&record_id=1&start_date=2023-03-19&end_date=2023-03-26&filter_type=service