CVE-2023-3285 : A BOLA vulnerability in POST /appointments allows a low privileged user to creat

A BOLA vulnerability in POST /appointments allows a low privileged user to create an appointment for any user in the system (including admin). This results in unauthorized data manipulation.

Published 2024-07-09 10:15:02

Updated 2024-07-09 18:19:14

Source Palo Alto Networks, Inc.

View at NVD, CVE.org

Products affected by CVE-2023-3285

Please log in to view affected product information.

Exploit prediction scoring system (EPSS) score for CVE-2023-3285

EPSS FAQ

0.09%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 28 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-3285

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.7	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N	3.1	4.0	Palo Alto Networks, Inc.	2024-07-09
Attack Vector: Network Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: None Integrity: High Availability: None

CWE ids for CVE-2023-3285

CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

Assigned by: psirt@paloaltonetworks.com (Secondary)

References for CVE-2023-3285

https://github.com/alextselegidis/easyappointments

GitHub - alextselegidis/easyappointments: :date: Easy!Appointments - Self Hosted Appointment Scheduler

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-3285

Products affected by CVE-2023-3285

Exploit prediction scoring system (EPSS) score for CVE-2023-3285

CVSS scores for CVE-2023-3285

CWE ids for CVE-2023-3285

References for CVE-2023-3285