CVE request: Easy!Appointments 1.0 cross-site scripting vulnerability

[Henri Salo <henri () nerv fi>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Product: Easy!Appointments Open Source Appointment Scheduler
Product URL: http://easyappointments.org/
Vendor: Alex Tselegidis
Vulnerability Type: Cross Site Scripting (CWE-79)
Vulnerable Versions: 1.0
Fixed Version: next release
Vendor Notification: 2015-04-03
Solution Status: Fixed by vendor
Solution Date: 2015-05-27
Public Disclosure: 2015-07-27

Vulnerability Details:

Easy!Appointments contains a flaw that allows a stored cross-site scripting
(XSS) attack. This flaw exists because the appointment registration
functionality does not validate input to the 'first-name', 'last-name' or
'phone-number' parameters before returning it to authenticated users. This
allows a context-dependent attacker to create a specially crafted request that
would execute arbitrary script code in a user's browser session within the trust
relationship between their browser and the server.

Root cause:

The software does not neutralize user-controllable input before it is placed in
output that is used as a web page that is served to authenticated users.

Proof-of-concept:

1. Select service and a provider
2. Select date and time
3. Fill in your information using payload as First name:
    Henri"><img src='#' onerror=alert(document.cookie) />
4. Log-in as administrator or as provider/secretary
5. Go to "Calendar"
6. Open up the appointment
7. Malicious code is executed

Fixed in following commit:
    https://github.com/alextselegidis/easyappointments/commit/914d3af8c2e513b49bd27955b32b4ce1d50b7325

References:
    http://cwe.mitre.org/data/definitions/79.html
    https://en.wikipedia.org/wiki/Cross-site_scripting
    https://scapsync.com/cwe/CWE-79
    https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29
    https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

- -- 
Henri Salo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJVtiPxAAoJECet96ROqnV0rbcQAKHk/0l1Z20OQYRD+cDSHDlM
dYZQ8ueAhNrIluD9X+KrL5Y0qYcnsliQBwkZS0xeswqS4jIvRtLJuyjJP72aabDA
h6JAUnGUIEFn6laKprEebMgexrs1gQ8uI8R2EP00lKipf7S1zfIWfITsjy6rW0oL
utBU7jeE9SG0SaUfOj+h5oOaa+yeA0k7kapkl2nmynG7MtWbWxgWwIZkO47+3tI5
q0atLvpOLeh8V2KipTkGsdxsZFeDt778zedL59GqLFFDSUfXBJoIclTM9v4lRvbs
Kapgtq9M55KjgSwKMDwCFrQ+uY1xCdswi0RgBiUyDe8REvQYlS7Xf2Pv0WTcrYvm
ogNdoPqAK2vSO7MlH9KKXaycQcG3HzblsPEg9BrfdSmNASt7vgongwW6D5yh9nlk
U4VBWBrcWRwwQBaIh7BW+0vg0p2Q4pNEjBFA2eAHibTk9hlexbNusyY05ehDLgWI
0EBbaj1pqCydUjK4feYNFMk975S/uPcSW3K+BliGk4fgBkPUsk9XX0zfcTm46QKK
AXmEEqlg7DO5AVUKP8bTipwJi4ZjYPEH+fA3DNbdl/OH/eBJXy5ImRxvey31DG54
Bbxabh/gOWlhSRmhT93cEKnBGi9GMUx7oNcpRqglNHd/rSsU4yfySNR4bUf1HzD4
wGK5beno2YAwGfu/INkQ
=+FHU
-----END PGP SIGNATURE-----