CVE-2024-51066 is classified as an Insecure Direct Object Reference (IDOR) vulnerability affecting the appointment-detail.php script in Phpgurukul's Beauty Parlour Management System version 1.1. IDOR vulnerabilities occur when an application exposes references to internal objects such as database records or files without proper authorization checks. In this case, the vulnerability allows an unauthenticated attacker to manipulate the object reference parameter in the appointment-detail.php endpoint to access appointment details belonging to other customers. This leads to unauthorized disclosure of Personally Identifiable Information (PII), violating confidentiality principles. The vulnerability requires no authentication (PR:N) and no user interaction (UI:N), making it remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The scope remains unchanged (S:U), and the impact is limited to confidentiality (C:H), with no impact on integrity or availability. The vulnerability is tracked under CWE-639, which relates to authorization bypass through improper object reference validation. No official patches or fixes have been published yet, and no exploits have been observed in the wild. However, the presence of sensitive customer data in beauty parlour management systems makes this a critical privacy concern, especially for organizations handling large customer bases or regulated data. Mitigation requires implementing strict access control checks on object references and validating user permissions before disclosing appointment details.

The primary impact of CVE-2024-51066 is the unauthorized disclosure of Personally Identifiable Information (PII) of customers, which can include names, contact details, appointment histories, and potentially sensitive personal data. This breach of confidentiality can lead to privacy violations, regulatory non-compliance (e.g., GDPR, CCPA), reputational damage, and potential legal liabilities for affected organizations. Since the vulnerability is exploitable without authentication and user interaction, attackers can systematically harvest customer data remotely, increasing the scale and speed of data breaches. While the vulnerability does not affect data integrity or system availability, the exposure of sensitive information can facilitate further attacks such as identity theft, phishing, or social engineering. Small and medium-sized businesses using this management system may lack robust security monitoring, increasing their risk of unnoticed exploitation. The absence of known exploits in the wild currently limits immediate widespread impact, but the vulnerability remains a significant risk if weaponized.

1. Implement strict server-side authorization checks to verify that the requesting user is authorized to access the specific appointment details before returning any data. 2. Avoid using predictable or sequential identifiers in URLs or API parameters; consider using opaque, randomized tokens to reference sensitive objects. 3. Employ role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to enforce fine-grained permissions on customer data. 4. Conduct thorough input validation and enforce least privilege principles in all endpoints handling sensitive information. 5. Monitor access logs for unusual or repeated requests to appointment-detail.php that may indicate exploitation attempts. 6. If possible, apply patches or updates from the vendor once available; if no patch exists, consider restricting external access to the affected endpoint via network controls or web application firewalls (WAFs). 7. Educate staff and customers about potential phishing or social engineering risks stemming from leaked PII. 8. Regularly audit and review application code and configurations for similar IDOR vulnerabilities to prevent future occurrences.