Palo Alto Networks’ AI-Powered Tool Exposes 15 Vulnerabilities in Easy!Appointments

by do son · Published July 27, 2024 · Updated July 27, 2024

Palo Alto Networks is actively developing security technologies leveraging artificial intelligence. In 2023, the company’s researchers created an automated tool for detecting BOLA (Broken Object-Level Authorization) vulnerabilities. The vulnerability detection tool is based on artificial intelligence, enabling the effective identification of BOLA vulnerabilities, which are challenging to detect manually due to the complexity of modern web application logic. This tool was applied to the open-source project Easy!Appointments, where 15 vulnerabilities were identified.

BOLA (Broken Object-Level Authorization), also known as IDOR (Insecure Direct Object References), is a common type of vulnerability in modern APIs and web applications. It ranks first in the OWASP API Top 10 risks and fourth among the most frequently reported vulnerabilities on the HackerOne platform.

BOLA occurs when an application fails to verify whether a user has the necessary permissions to access, modify, or delete an object. This can lead to data leaks, data alterations, or even complete account takeovers.

Easy!Appointments is a popular application for managing and scheduling appointments, synchronized with Google Calendar and CalDAV. The discovered vulnerabilities allowed users with low privilege levels to view and modify appointments created by more privileged users, such as administrators and service providers.

All vulnerabilities, classified from CVE-2023-3285 to CVE-2023-3290 and CVE-2023-38047 to CVE-2023-38055, were addressed in version 1.5.0. Organizations are strongly urged to update Easy!Appointments to this version or newer.

Among the issues identified were the ability to create and delete privileged users, alter system settings, and manage other users’ data. For instance, vulnerability CVE-2023-38049 allows a low-privileged user to modify or delete appointments created by an administrator.