Improper Access Control in alextselegidis/easyappointments
Description
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Easy!Appointments prior to 1.5.0 had an improper access control vulnerability allowing providers and secretaries to view appointments of other users.
CVE-2023-2104 is an improper access control vulnerability in alextselegidis/easyappointments, an open-source appointment scheduler. The root cause is that the get_calendar_appointments function did not verify that a provider or secretary user was only accessing their own or assigned providers' appointment data. This allowed users with provider or secretary roles to retrieve appointments belonging to other users.
To exploit the vulnerability, an attacker must have a valid account with either a provider or secretary role. No special network position is required; the attacker sends a request to the calendar endpoint, which returns all appointments without proper filtering based on the user's role and associations. The fix, introduced in commit 75b24735767868344193fb2cc56e17ee4b9ac4be, adds checks to filter appointments based on the user's role and provider associations.
The impact is unauthorized access to sensitive appointment data, including appointment details and user information. An attacker could view, potentially modify, or misuse this data for social engineering or privacy breaches.
Mitigation: The vulnerability is patched in Easy!Appointments version 1.5.0. Users should upgrade immediately. No workarounds are documented, and the issue was reported via the huntr.dev bug bounty platform. [1][3][4]
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alextselegidis/easyappointmentsPackagist | <= 1.4.3 | — |
Affected products
2- alextselegidis/alextselegidis/easyappointmentsv5Range: unspecified
Patches
175b247357678Do not return appointments of a different user to the another provider or secretary on the default calendar screen.
1 file changed · +56 −0
application/controllers/Calendar.php+56 −0 modified@@ -671,6 +671,62 @@ public function get_calendar_appointments() $unavailability['provider'] = $this->providers_model->find($unavailability['id_users_provider']); } + unset($appointment); + + $user_id = session('user_id'); + + $role_slug = session('role_slug'); + + // If the current user is a provider he must only see his own appointments. + if ($role_slug === DB_SLUG_PROVIDER) + { + foreach ($response['appointments'] as $index => $appointment) + { + if ((int)$appointment['id_users_provider'] !== (int)$user_id) + { + unset($response['appointments'][$index]); + } + } + + $response['appointments'] = array_values($response['appointments']); + + foreach ($response['unavailabilities'] as $index => $unavailability) + { + if ((int)$unavailability['id_users_provider'] !== (int)$user_id) + { + unset($response['unavailabilities'][$index]); + } + } + + $response['unavailabilities'] = array_values($response['unavailabilities']); + } + + // If the current user is a secretary he must only see the appointments of his providers. + if ($role_slug === DB_SLUG_SECRETARY) + { + $providers = $this->secretaries_model->find($user_id)['providers']; + + foreach ($response['appointments'] as $index => $appointment) + { + if ( ! in_array((int)$appointment['id_users_provider'], $providers)) + { + unset($response['appointments'][$index]); + } + } + + $response['appointments'] = array_values($response['appointments']); + + foreach ($response['unavailabilities'] as $index => $unavailability) + { + if ( ! in_array((int)$unavailability['id_users_provider'], $providers)) + { + unset($response['unavailabilities'][$index]); + } + } + + $response['unavailabilities'] = array_values($response['unavailabilities']); + } + json_response($response); } catch (Throwable $e)
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.