Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
Title: Easy!Appointments v1.2.1 Multiple Stored XSS Vulnerabilities
Advisory ID: ZSL-2017-5442
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 27.12.2017
OpenSSL/1.0.2h
MariaDB-10.1.19
PHP/5.6.28
[05.12.2017] Vendor contacted.
[05.12.2017] Vendor responds asking more details.
[06.12.2017] Sent details to the vendor.
[06.12.2017] Vendor replies.
[06.12.2017] Working with the vendor.
[11.12.2017] Asked vendor for status update.
[12.12.2017] Vendor responds.
[19.12.2017] Asked vendor for verification and fix release plan.
[19.12.2017] Vendor verified the issues in 1.2.1.
[20.12.2017] Asked vendor for release date.
[20.12.2017] New version 1.3 will be released within a week.
[27.12.2017] Public security advisory released.
[02.01.2018] Vendor releases version 1.3.0 Alpha to address these issues.
[2] https://packetstormsecurity.com/files/145569
[3] https://www.exploit-db.com/exploits/43399/
[04.01.2018] - Added vendor status and reference [1], [2] and [3]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2017-5442
Type: Local/Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 27.12.2017
Summary
Easy!Appointments is a highly customizable web application that allows your customers to book appointments with you via the web. Moreover, it provides the ability to sync your data with Google Calendar so you can use them with other services. It is an open source project and you can download and install it even for commercial use. Easy!Appointments will run smoothly with your existing website, because it can be installed in a single folder of the server and of course, both sites can share the same database. Learn more about the project in the Features page.Description
The application suffers from multiple stored and reflected XSS vulnerabilities. The issues are triggered when an unauthorized input passed via multiple POST and GET parameters is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.Vendor
Alex Tselegidis - http://www.easyappointments.orgAffected Version
1.2.1Tested On
Apache/2.4.23 (Win32)OpenSSL/1.0.2h
MariaDB-10.1.19
PHP/5.6.28
Vendor Status
[20.10.2017] Vulnerabilities discovered.[05.12.2017] Vendor contacted.
[05.12.2017] Vendor responds asking more details.
[06.12.2017] Sent details to the vendor.
[06.12.2017] Vendor replies.
[06.12.2017] Working with the vendor.
[11.12.2017] Asked vendor for status update.
[12.12.2017] Vendor responds.
[19.12.2017] Asked vendor for verification and fix release plan.
[19.12.2017] Vendor verified the issues in 1.2.1.
[20.12.2017] Asked vendor for release date.
[20.12.2017] New version 1.3 will be released within a week.
[27.12.2017] Public security advisory released.
[02.01.2018] Vendor releases version 1.3.0 Alpha to address these issues.
PoC
easyappointments_xss.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] https://cxsecurity.com/issue/WLB-2017120298[2] https://packetstormsecurity.com/files/145569
[3] https://www.exploit-db.com/exploits/43399/
Changelog
[27.12.2017] - Initial release[04.01.2018] - Added vendor status and reference [1], [2] and [3]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk