VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025

Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments

CVE-2023-2102

Description

Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Easy!Appointments prior to 1.5.0 contains a stored XSS vulnerability via the user display name in the backend section.

Vulnerability

Overview

CVE-2023-2102 is a stored cross-site scripting (XSS) vulnerability in the Easy!Appointments open-source appointment scheduler, affecting versions prior to 1.5.0. The root cause is insufficient escaping of the user display name when rendered in the backend administrative interface [1][3]. This allows an attacker to inject arbitrary HTML or JavaScript code that persists on the server and executes in the context of other users viewing the affected page.

Exploitation

Prerequisites

To exploit this vulnerability, an attacker must have the ability to set or modify a user's display name, which typically requires authenticated access with at least provider or admin privileges [2]. The injected payload is stored in the database and later rendered without proper sanitization in the backend section, meaning any user with access to that area (e.g., other administrators or providers) will execute the malicious script when viewing the affected record [3]. No special network position is required beyond normal web application access.

Impact

Successful exploitation allows an attacker to perform actions on behalf of other backend users, such as stealing session cookies, exfiltrating sensitive data, or performing unauthorized administrative operations. Because the XSS is stored, the attack can affect multiple users over time without requiring further interaction from the attacker [1][4].

Mitigation

The vulnerability was addressed in commit bddc5cbeb7ff237a72943b304dcb01c653781767, which escapes the user display name in the backend section [3]. Users are strongly advised to upgrade to Easy!Appointments version 1.5.0 or later, which includes this fix [1][2]. No workarounds have been officially documented, but restricting backend user privileges and applying input validation can reduce risk until an upgrade is performed.

References
  1. NVD - CVE-2023-2102
  2. GitHub - alextselegidis/easyappointments: :date: Easy!Appointments - Self Hosted Appointment Scheduler
  3. Escape the user display name in the backend section · alextselegidis/easyappointments@bddc5cb
  4. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
alextselegidis/easyappointmentsPackagist
<= 1.4.3

Affected products

2

Patches

1
bddc5cbeb7ff

Escape the user display name in the backend section

https://github.com/alextselegidis/easyappointmentsAlex TselegidisApr 15, 2023via ghsa
commit
1 file changed · +1 1
  • application/views/components/backend_header.php+1 1 modified
    @@ -86,7 +86,7 @@
                 <a class="nav-link dropdown-toggle" href="#" data-bs-toggle="dropdown"
                    data-tippy-content="<?= lang('settings_hint') ?>">
                     <i class="fas fa-user me-2"></i>
-                    <?= vars('user_display_name') ?>
+                    <?= e(vars('user_display_name')) ?>
                 </a>
                 <div class="dropdown-menu dropdown-menu-end">
                     <?php if (can('view', PRIV_SYSTEM_SETTINGS)): ?>

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.