CVE-2026-52837 in easyappointments정보

요약

\~에 의해 MITRE • 2026. 07. 14.

Easy!Appointments is a self hosted appointment scheduler. In versions up to and including 1.5.2, the booking reschedule view at `/index.php/booking/reschedule/{appointment_hash}` (handled by `Booking::index()`) embeds the entire customer record as inline JavaScript (`const vars = {... "customer_data": {...}, ...}`) without authentication and without field whitelisting. Anyone in possession of the 12-character `appointment_hash` — which appears in plain text in reschedule emails, confirmation page URLs, and operator-side calendar links — can read every column of that customer's row in the `ea_users` table. Version 1.6.0 contains a patch.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

책임이 있는

GitHub M

예약하다

2026. 06. 08.

모더레이션

수락

항목

VDB-378322

EPSS

0.00000

출처

Do you know our Splunk app?

Download it now for free!