VYPR
← All advisories
Critical severityNVD Advisory· Published Mar 8, 2023· Updated Mar 5, 2025

Use of Hard-coded Credentials in alextselegidis/easyappointments

CVE-2023-1269

Description

Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Easy!Appointments before 1.5.0 shipped with hard-coded credentials, allowing unauthorized admin access via the known password 'administrator'.

CVE-2023-1269 describes a use of hard-coded credentials vulnerability in the Easy!Appointments application, an open-source appointment scheduler. Prior to version 1.5.0, the application's database seeder script hard-coded the default administrator password as 'administrator' [1]. This hard-coded credential was embedded in the source code and used during the initial database setup, meaning any instance installed without changing the default password would have a known administrative account [2].

The vulnerability can be exploited by an unauthenticated attacker who knows the default password. The Easy!Appointments administrative panel is accessible via a web interface, and an attacker can simply log in using the username 'administrator' and the hard-coded password 'administrator' [1]. No other authentication bypass or privilege escalation is needed; the attacker directly gains administrator access to the application [2].

The impact of successful exploitation is that an attacker gains full administrative control over the Easy!Appointments instance. This includes the ability to view, create, modify, and delete appointments, manage service providers, access customer data, and alter application settings [2]. The confidentiality, integrity, and availability of the application's data are all at risk [1].

The fix was implemented in commit 2731d2f, which was included in version 1.5.0 [3]. The commit replaced the hard-coded password in the seeder with a dynamically generated random string, ensuring that each installation gets a unique, unknown administrator password [3]. Users are strongly recommended to upgrade to version 1.5.0 or later [1]. If upgrading is not immediately possible, any administrator password set after installation should be changed from the default to a strong, unique value [2].

References
  1. NVD - CVE-2023-1269
  2. GitHub - alextselegidis/easyappointments: :date: Easy!Appointments - Self Hosted Appointment Scheduler
  3. Update the seeders so that they set dynamic passwords by default · alextselegidis/easyappointments@2731d2f

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
alextselegidis/easyappointmentsPackagist
<= 1.4.3

Affected products

2

Patches

1
2731d2f17c51

Update the seeders so that they set dynamic passwords by default

https://github.com/alextselegidis/easyappointmentsAlex TselegidisMar 1, 2023via ghsa
commit
3 files changed · +17 6
  • application/controllers/Console.php+2 2 modified
    @@ -55,9 +55,9 @@ public function install()
     {
         $this->instance->migrate('fresh');
 
-        $this->instance->seed();
+        $password = $this->instance->seed();
 
-        response(PHP_EOL . '⇾ Installation completed, login with "administrator" / "administrator".' . PHP_EOL . PHP_EOL);
+        response(PHP_EOL . '⇾ Installation completed, login with "administrator" / "' . $password . '".' . PHP_EOL . PHP_EOL);
     }
 
     /**
  • application/controllers/Installation.php+1 1 modified
    @@ -113,7 +113,7 @@ public function perform()
                 ],
                 'settings' => [
                     'username' => 'janedoe',
-                    'password' => 'janedoe',
+                    'password' => random_string(),
                     'working_plan' => setting('company_working_plan'),
                     'notifications' => TRUE,
                     'google_sync' => FALSE,
  • application/libraries/Instance.php+14 3 modified
    @@ -84,31 +84,38 @@ public function migrate(string $type = '')
 
     /**
      * Seed the database with test data.
+     *
+     * @return string Return's the administrator user password.
      */
-    public function seed()
+    public function seed(): string
     {
         // Settings
+        
         setting([
             'company_name' => 'Company Name',
             'company_email' => 'info@example.org',
             'company_link' => 'https://example.org',
         ]);
 
+        $password = random_string();
+
         // Admin
+
         $this->CI->admins_model->save([
             'first_name' => 'John',
             'last_name' => 'Doe',
             'email' => 'john@example.org',
             'phone_number' => '+10000000000',
             'settings' => [
                 'username' => 'administrator',
-                'password' => 'administrator',
+                'password' => $password,
                 'notifications' => TRUE,
                 'calendar_view' => CALENDAR_VIEW_DEFAULT
             ],
         ]);
 
         // Service
+
         $service_id = $this->CI->services_model->save([
             'name' => 'Service',
             'duration' => '30',
@@ -119,6 +126,7 @@ public function seed()
         ]);
 
         // Provider
+
         $this->CI->providers_model->save([
             'first_name' => 'Jane',
             'last_name' => 'Doe',
@@ -129,7 +137,7 @@ public function seed()
             ],
             'settings' => [
                 'username' => 'janedoe',
-                'password' => 'janedoe',
+                'password' => random_string(),
                 'working_plan' => setting('company_working_plan'),
                 'notifications' => TRUE,
                 'google_sync' => FALSE,
@@ -140,12 +148,15 @@ public function seed()
         ]);
 
         // Customer
+
         $this->CI->customers_model->save([
             'first_name' => 'James',
             'last_name' => 'Doe',
             'email' => 'james@example.org',
             'phone_number' => '+10000000000',
         ]);
+
+        return $password;
     }
 
     /**

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.