Description
Easy!Appointments is a self hosted appointment scheduler. In versions prior to 1.6.0, `Google::oauth` at `application/controllers/Google.php:278` stores its URL-supplied `provider_id` in the session, and `oauth_callback` saves the issued Google OAuth token against that row without checking the caller owns the provider. Any logged-in backend user (admin, provider, or secretary) rebinds a peer provider's Google sync to a Google account they control. The peer's appointments then sync into the attacker's calendar with each customer's name and email attached as attendee data. Version 1.6.0 patches the issue.
Problem types
CWE-639: Authorization Bypass Through User-Controlled Key
Product status
References
github.com/...tments/security/advisories/GHSA-8hm4-r66f-29wr
github.com/...tments/security/advisories/GHSA-8hm4-r66f-29wr
github.com/...ommit/4b2d245d2cd2058dc76e05f6eb65b26699268471