Packagist (Composer) package
alextselegidis/easyappointments
pkg:composer/alextselegidis/easyappointments
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-23622 | Hig | 8.8 | <= 1.5.2 | — | Jan 15, 2026 | Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accep | |
| CVE-2025-50383 | — | < 1.5.2-beta.1 | 1.5.2-beta.1 | Aug 25, 2025 | alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter. | ||
| CVE-2025-29448 | — | <= 1.5.1 | — | May 7, 2025 | Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability. | ||
| CVE-2024-57602 | — | <= 1.5.0 | — | Feb 12, 2025 | An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file. | ||
| CVE-2024-57601 | — | <= 1.5.0 | — | Feb 12, 2025 | Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter. | ||
| CVE-2023-3700 | — | < 1.5.0 | 1.5.0 | Jul 17, 2023 | Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-2105 | — | <= 1.4.3 | — | Apr 15, 2023 | Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-2104 | — | <= 1.4.3 | — | Apr 15, 2023 | Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-2103 | — | <= 1.4.3 | — | Apr 15, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-2102 | — | <= 1.4.3 | — | Apr 15, 2023 | Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-1367 | — | < 1.5.0 | 1.5.0 | Mar 13, 2023 | Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2023-1269 | — | <= 1.4.3 | — | Mar 8, 2023 | Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0. | ||
| CVE-2022-1397 | — | <= 1.4.3 | — | May 10, 2022 | API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover. | ||
| CVE-2022-0482 | — | < 1.4.3 | 1.4.3 | Mar 9, 2022 | Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3. |
- affected <= 1.5.2
Easy!Appointments is a self hosted appointment scheduler. In 1.5.2 and earlier, application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accep
- CVE-2025-50383Aug 25, 2025affected < 1.5.2-beta.1fixed 1.5.2-beta.1
alextselegidis Easy!Appointments v1.5.1 was discovered to contain a SQL injection vulnerability via the order_by parameter.
- CVE-2025-29448May 7, 2025affected <= 1.5.1
Booking logic flaw in Easy!Appointments v1.5.1 allows unauthenticated attackers to create appointments with excessively long durations, causing a denial of service by blocking all future booking availability.
- CVE-2024-57602Feb 12, 2025affected <= 1.5.0
An issue in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to escalate privileges via the index.php file.
- CVE-2024-57601Feb 12, 2025affected <= 1.5.0
Cross Site Scripting vulnerability in Alex Tselegidis EasyAppointments v.1.5.0 allows a remote attacker to execute arbitrary code via the legal_settings parameter.
- CVE-2023-3700Jul 17, 2023affected < 1.5.0fixed 1.5.0
Authorization Bypass Through User-Controlled Key in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-2105Apr 15, 2023affected <= 1.4.3
Session Fixation in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-2104Apr 15, 2023affected <= 1.4.3
Improper Access Control in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-2103Apr 15, 2023affected <= 1.4.3
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-2102Apr 15, 2023affected <= 1.4.3
Cross-site Scripting (XSS) - Stored in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-1367Mar 13, 2023affected < 1.5.0fixed 1.5.0
Code Injection in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2023-1269Mar 8, 2023affected <= 1.4.3
Use of Hard-coded Credentials in GitHub repository alextselegidis/easyappointments prior to 1.5.0.
- CVE-2022-1397May 10, 2022affected <= 1.4.3
API Privilege Escalation in GitHub repository alextselegidis/easyappointments prior to 1.5.0. Full system takeover.
- CVE-2022-0482Mar 9, 2022affected < 1.4.3fixed 1.4.3
Exposure of Private Personal Information to an Unauthorized Actor in GitHub repository alextselegidis/easyappointments prior to 1.4.3.