Easy!Appointments is a highly customizable web application that offers scheduling management for businesses.
An attacker can run automated attacks against CAPTCHA protected form.
The CAPTCHA should be invalidated after first use. The application should not send the value of a decoded CAPTCHA when the submitted one is invalid.
Note that in Easy!Appointments 1.2.1 the "Require CAPTCHA" option adds a CAPTCHA only on "Confirm Appointment" form. For more security, it is recommended to protect every form of the unauthenticated section.
CVE ID: CVE-2018-13060
Access Vector: network
Security Risk: medium
CVSS Base Score: 6.5
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
When the "Require CAPTCHA" option is activated, visitors are required to validate the CAPTCHA when submitting the "Confirm Appointment" form.
If a wrong CAPTCHA is submitted, the application send its decoded value while not invalidating it. Therefore, an attacker can abuse this behaviour to bypass the CAPTCHA.
Proof of Concept: CAPTCHA bypass
The steps consist in collecting and reusing a decoded CAPTCHA:
1/ When submitting the "Confirm Appointment" form, submit a wrong CAPTCHA.
2/ Collect the valid CAPTCHA in the response body answered by the Easy!Appointment server. For example :
3/ Resend the form with the retrieved CAPTCHA.
4/ As long as you do not request
index.php/captcha, the CAPTCHA is not updated.
Versions 1.3.0 and prior to 1.2.1 - other versions have not been tested.
Update to a version superior to 1.3.2.
- 06/03/2018 : Initial discovery
- 17/04/2018 : Vendor contact
- 17/05/2018 : Vendor technical team acknowledgment
- 15/08/2018 : Vendor submits a private 126.96.36.199 pre-release that, according to our test, did not mitigate the issue.
- 25/10/2019 : Public disclosure
- Valentin CHATELAIN, Sysdream (v.chatelain -at- sysdream -dot- com)
- Pierrick VERAN, Sysdream (p.veran -at- sysdream -dot- com)