Description
Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` — which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links — can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch.
Problem types
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-639: Authorization Bypass Through User-Controlled Key
Product status
References
github.com/...tments/security/advisories/GHSA-xgr6-pqjv-3pf8
github.com/...ommit/725eafa647308846ce887657db12771a829e42ef