Cross-site Scripting (XSS) - Stored in alextselegidis/easyappointments
Description
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Easy!Appointments prior to 1.5.0 allows attackers to inject arbitrary JavaScript via unescaped service names, group labels, and legal settings.
Vulnerability
Overview
CVE-2023-2103 is a stored cross-site scripting (XSS) vulnerability in the Easy!Appointments booking system, affecting versions prior to 1.5.0. The root cause is the lack of output escaping when rendering user-controlled fields such as service names, category group labels, cookie notice content, and privacy policy content in the booking page views. The fix, visible in commit [2], adds PHP's e() function to escape these outputs before rendering.
Exploitation
An attacker with the ability to create or edit services, categories, or legal settings (typically an authenticated administrator or provider) can inject malicious JavaScript into these fields. The injected script is stored in the database and executed in the browsers of any user who visits the booking page, including customers and other staff. No additional authentication is required to trigger the payload once stored.
Impact
Successful exploitation allows arbitrary JavaScript execution in the context of the victim's session. This can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. The vulnerability is classified as high severity (CVSS 6.1) and has been reported via the huntr.dev bug bounty platform [4].
Mitigation
The vulnerability is patched in Easy!Appointments version 1.5.0. Users are strongly advised to upgrade immediately. The official advisory [1] and the commit [2] provide details on the fix. No workarounds are documented; upgrading is the recommended action.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alextselegidis/easyappointmentsPackagist | <= 1.4.3 | — |
Affected products
2- alextselegidis/alextselegidis/easyappointmentsv5Range: unspecified
Patches
146a865300e94Escape the legal settings, service and category name in the booking page
5 files changed · +8 −8
application/views/components/booking_type_step.php+4 −4 modified@@ -1,7 +1,7 @@ <?php /** * Local variables. - * + * * @var array $available_services */ ?> @@ -66,11 +66,11 @@ if (count($group) > 0) { - echo '<optgroup label="' . $group_label . '">'; + echo '<optgroup label="' . e($group_label) . '">'; foreach ($group as $service) { echo '<option value="' . $service['id'] . '">' - . $service['name'] . '</option>'; + . e($service['name']) . '</option>'; } echo '</optgroup>'; } @@ -80,7 +80,7 @@ { foreach ($available_services as $service) { - echo '<option value="' . $service['id'] . '">' . $service['name'] . '</option>'; + echo '<option value="' . $service['id'] . '">' . e($service['name']) . '</option>'; } } ?>
application/views/components/cookie_notice_modal.php+1 −1 modified@@ -13,7 +13,7 @@ <button type="button" class="btn-close" data-bs-dismiss="modal"></button> </div> <div class="modal-body"> - <p><?= $cookie_notice_content ?></p> + <p><?= e($cookie_notice_content) ?></p> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">
application/views/components/privacy_policy_modal.php+1 −1 modified@@ -15,7 +15,7 @@ </button> </div> <div class="modal-body"> - <p><?= $privacy_policy_content ?></p> + <p><?= e($privacy_policy_content) ?></p> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">
application/views/components/terms_and_conditions_modal.php+1 −1 modified@@ -14,7 +14,7 @@ <button type="button" class="btn-close" data-bs-dismiss="modal"></button> </div> <div class="modal-body"> - <p><?= $terms_and_conditions_content ?></p> + <p><?= e($terms_and_conditions_content) ?></p> </div> <div class="modal-footer"> <button type="button" class="btn btn-secondary" data-bs-dismiss="modal">
assets/js/pages/booking.js+1 −1 modified@@ -803,7 +803,7 @@ App.Pages.Booking = (function () { } $('<strong/>', { - 'text': service.name + 'text': App.Utils.String.escapeHtml(service.name), }).appendTo($serviceDescription); if (service.description) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.