VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 9, 2022· Updated Aug 2, 2024

Exposure of Private Personal Information to an Unauthorized Actor in alextselegidis/easyappointments

CVE-2022-0482

Description

Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Easy!Appointments prior to 1.4.3 exposes private personal information to unauthorized actors via an undisclosed route.

Vulnerability

Easy!Appointments versions prior to 1.4.3 contain an information disclosure vulnerability that exposes private personal information to unauthorized actors. The issue is present in the self-hosted open source appointment scheduler. Affected versions include all releases before 1.4.3, which was published on 2022-03-08 [3]. The specific vulnerable endpoint or mechanism is not detailed in the available references, but the official CVE description confirms exposure of private personal information [1].

Exploitation

An attacker can exploit this vulnerability without requiring authentication, as the exposure occurs to “unauthorized actors.” The exact network position needed (e.g., local or remote) is not specified, but the vulnerability is remotely exploitable based on the description “Exposure of Private Personal Information to an Unauthorized Actor” [1]. No user interaction or special privileges are required. The exploitation steps are not publicly detailed, but the Packet Storm advisory [1] may contain proof-of-concept details [1].

Impact

Successful exploitation leads to the disclosure of private personal information, which may include customer names, email addresses, phone numbers, appointment details, or other sensitive data managed by the application. This constitutes a confidentiality breach, potentially exposing the operator’s business or its customers to privacy violations and further targeted attacks [1][4].

Mitigation

The vendor released version 1.4.3 on 2022-03-08, which fixes the vulnerability [3]. Users must update to 1.4.3 or later immediately. There is no workaround disclosed in the references. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the last available check. No additional mitigations, such as configuration changes, are provided [2][4].

References
  1. NVD - CVE-2022-0482
  2. GitHub - alextselegidis/easyappointments: :date: Easy!Appointments - Self Hosted Appointment Scheduler
  3. Release 1.4.3 · alextselegidis/easyappointments
  4. Software Architect & Ethical Hacker

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
alextselegidis/easyappointmentsPackagist
< 1.4.31.4.3

Affected products

2

Patches

1
44af526a6fc5

Release v1.4.3

https://github.com/alextselegidis/easyappointmentsAlex TselegidisMar 8, 2022via ghsa
commit
1 file changed · +2 2
  • application/config/config.php+2 2 modified
    @@ -8,7 +8,7 @@
 | Declare some of the global config values of Easy!Appointments.
 |
 */
-$config['version'] = '1.4.3-beta.1'; // This must be changed manually.
+$config['version'] = '1.4.3'; // This must be changed manually.
 $config['release_label'] = ''; // Leave empty for no title or add Alpha, Beta etc ...
 $config['debug'] = Config::DEBUG_MODE;
 
@@ -314,7 +314,7 @@
 | new release.
 |
 */
-$config['cache_busting_token'] = '8UC842';
+$config['cache_busting_token'] = '6398SW';
 
 /*
 |--------------------------------------------------------------------------

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

8

News mentions

0

No linked articles in our index yet.