VYPR
← All advisories
Moderate severityNVD Advisory· Published Apr 15, 2023· Updated Feb 6, 2025

Session Fixation in alextselegidis/easyappointments

CVE-2023-2105

Description

Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Easy!Appointments prior to 1.5.0 is vulnerable to session fixation, allowing an attacker to hijack authenticated sessions.

Root

Cause

Easy!Appointments, an open-source appointment scheduler, contained a session fixation vulnerability in versions prior to 1.5.0. The application did not regenerate the session identifier upon user login, meaning the session ID remained unchanged after authentication [1][4].

Attack

Vector

To exploit this flaw, an attacker must first fixate a known session ID on the target user, for example by crafting a link containing a predetermined session cookie. Once the victim authenticates while carrying that session ID, the server does not issue a new identifier [1][2]. The attacker can then use the same session ID to access the victim's authenticated session without knowing their credentials.

Impact

Successful exploitation allows the attacker to impersonate the victim, gaining unauthorized access to the affected Easy!Appointments instance with the victim's privileges. This could lead to viewing or modifying sensitive appointment data, user settings, and other resources accessible to the compromised account [4].

Mitigation

The vulnerability was fixed in commit 7f37350fab9d729a9350d96369ff0f453cf7b840, which introduces session ID regeneration after successful login [1]. Users should update to Easy!Appointments version 1.5.0 or later to remediate the issue.

References
  1. Regenerate the session ID after logging in to avoid Session Fixation … · alextselegidis/easyappointments@7f37350
  2. NVD - CVE-2023-2105
  3. The world’s first bug bounty platform for AI/ML

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
alextselegidis/easyappointmentsPackagist
<= 1.4.3

Affected products

2

Patches

1
7f37350fab9d

Regenerate the session ID after logging in to avoid Session Fixation attacks

https://github.com/alextselegidis/easyappointmentsAlex TselegidisApr 15, 2023via ghsa
commit
1 file changed · +2 0
  • application/controllers/Login.php+2 0 modified
    @@ -76,6 +76,8 @@ public function validate()
             {
                 throw new InvalidArgumentException('Invalid credentials provided, please try again.');
             }
+            
+            $this->session->sess_regenerate();
 
             session($user_data); // Save data in the session.

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.