DELTA OBSCURA

We are the team behind Mission Cyber Sentinel, a mission dedicated to securing 446,000 digital assets globally.

GitHub

EasyAppointments - v1.5.0 - Cross-Site Scripting

By 0xhamy 04:45 PM - October 22nd 2025
Type software
Product Environment web
Product Name EasyAppointments
Product Vendor Alex Tselegidis
Product Version 1.5.0
Product Link https://github.com/alextselegidis/easyappointments
Vulnerability Name Cross-Site Scripting
Severity High
CVSS String CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
CVSS Score 8.7
CVE ID CVE-2024-57601
Vendor Acknowledgement No
Affected digital Assets 1293
Affected Users 129300
Date of Reporting Dec 22, 2024
PoC Exploit https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
Credit 0xhamy

Description

EasyAppointments 1.5.0 is vulnerable to stored cross-site scripting (XSS) via the Legal Settings editor at /index.php/legal_settings.
Custom “policy” fields (e.g., Cookie Policy) accept HTML that is executed whenever the settings page loads. Because the payload is stored, subsequent visits to the page trigger the attacker-controlled code, enabling session theft and account takeover in the administrator’s browser.

Vulnerability Details

The Legal Settings page persists rich HTML without adequate sanitization. When the page is later viewed, the editor renders and executes the stored content rather than treating it as inert text.
If an attacker can place malicious HTML (e.g., <img> with an external src that beacons cookies/tokens), every visit to the Legal Settings page executes that content in the EasyAppointments origin, allowing credential/session exfiltration or privileged actions via the admin’s session.

Steps to Reproduce

  1. Prepare a capture endpoint (cookie stealer).
    Use the PHP listener from your gist:
    https://gist.github.com/0xHamy/b2674eeffd1f73af96d29f152c47bcbd
    Start it:

    php -S 0.0.0.0:1718

  2. Log in to the admin panel.
    Navigate to:

    /index.php/legal_settings

  3. Insert a stored XSS payload in a policy field.
    In the Cookies (or any policy) field, switch the editor to “embed code/source” mode and insert:

    <img src="http://127.0.0.1:1718/capture.php">

  4. Trigger and observe.
    Reload or revisit the Legal Settings page. Each load requests the attacker’s URL, enabling cookie/session exfiltration (demonstrated via capture.php). With suitable payloads, this can lead to admin account takeover.

Recommendation

  • Sanitize policy fields using an allow-list HTML sanitizer; strip dangerous tags/attributes (e.g., scripts, event handlers, external loads).
  • Render content safely (e.g., treat as inert/escaped HTML in edit views; only allow a safe subset when displaying).
  • Harden with CSP (disallow inline scripts; restrict img-src/connect-src to trusted origins).
  • Limit who can edit legal content and add change auditing/preview to catch malicious inserts.