Exposure of Private Personal Information to an Unauthorized Actors
CVE-2022-0482
Lack of authentication logic in the backend API was leading to sensitive PII data exposed to unauthenticated attackers.
Over the last few years, I discovered more than 60 new vulnerabilities, half of which are in open-source software.
CVE-2022-0482
Lack of authentication logic in the backend API was leading to sensitive PII data exposed to unauthenticated attackers.
CVE-2022-1397
Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed. On Easy!Appointments API authorization is checked against the user's existence, without validating the permissions. As a result, a low privileged user can take over the system.
CVE-2022-3907
The plugin is affected by time-based attacks in the validation function for all API requests due to the usage of comparison operators to verify API keys against the ones stored in the site options.
CVE-2022-3600
Missing data sanification in the CSV export feature leads to CSV formula injection vulnerability.
CVE-2021-24704
An unprepared SQL query in conjuntion with a CSRF vulnerability allows full database takeover.