← Advisories

Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities

Medium

Advisory ID

ZSL-2017-5442

Release Date

27 December 2017

Vendor

Alex Tselegidis - http://www.easyappointments.org

Affected Version

1.2.1

CVE

N/A

Tested On

Apache/2.4.23 (Win32), OpenSSL/1.0.2h, MariaDB-10.1.19, PHP/5.6.28

Summary

Easy!Appointments is a highly customizable web application that allows your customers to book appointments with you via the web. Moreover, it provides the ability to sync your data with Google Calendar so you can use them with other services. It is an open source project and you can download and install it even for commercial use. Easy!Appointments will run smoothly with your existing website, because it can be installed in a single folder of the server and of course, both sites can share the same database. Learn more about the project in the Features page.

Description

The application suffers from multiple stored and reflected XSS vulnerabilities. The issues are triggered when an unauthorized input passed via multiple POST and GET parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept

easyappointments_xss.txtTXT

Disclosure Timeline

20.10.2017Vulnerabilities discovered.

05.12.2017Vendor contacted.

05.12.2017Vendor responds asking more details.

06.12.2017Sent details to the vendor.

06.12.2017Vendor replies.

06.12.2017Working with the vendor.

11.12.2017Asked vendor for status update.

12.12.2017Vendor responds.

19.12.2017Asked vendor for verification and fix release plan.