CVE-2024-57601
Description
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
EasyAppointments v1.5.0 suffers from a stored XSS vulnerability via the `legal_settings` parameter, allowing remote attackers to execute arbitrary JavaScript in the admin panel.
Analysis
Easy!Appointments is an open-source self-hosted appointment scheduler. In version 1.5.0, a Cross-Site Scripting (XSS) vulnerability exists in the backend administrative interface, specifically through the legal_settings parameter. This parameter is used to configure legal text such as terms and conditions or privacy policies, which are displayed to users during the booking process. The application fails to properly sanitize user-supplied input before storing it, allowing an attacker to inject arbitrary HTML and JavaScript code [1].
The vulnerability is exploitable by any authenticated user who has access to the administrative backend, typically a provider or administrator. The attacker can submit malicious payloads via the legal_settings input fields. Because the stored content is rendered without sufficient sanitization, the injected script executes in the context of any user—including other administrators—who views the legal settings page. No special network access beyond standard web application interaction is required [2].
Successful exploitation allows the attacker to execute arbitrary JavaScript in the browser of any administrative user. This can lead to session hijacking, credential theft via phishing overlays, defacement of the admin panel, or performing administrative actions on behalf of the victim (e.g., creating or modifying appointments, altering provider information). The impact is limited to the browser session of authenticated backend users, but it can compromise the entire application's administrative operations.
As of February 2025, the vendor has not released a security patch addressing this vulnerability. Users are advised to sanitize legal settings input manually (e.g., using a content security policy or HTML encoding), restrict administrative account access to trusted personnel, and monitor for updates from the official repository. The vulnerability has not yet been added to CISA's Known Exploited Vulnerabilities catalog, but exploitation is plausible given the public disclosure [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
alextselegidis/easyappointmentsPackagist | <= 1.5.0 | — |
Affected products
3- Alex Tselegidis/EasyAppointmentsdescription
- Range: =1.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3wf7-83q3-948cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-57601ghsaADVISORY
- hkohi.ca/vulnerability/13ghsaWEB
News mentions
0No linked articles in our index yet.