CVE-2025-46247 is a Missing Authorization vulnerability (CWE-862) identified in the codepeople Appointment Booking Calendar software, affecting versions up to 1.3.92. This vulnerability arises due to insufficient enforcement of Access Control Lists (ACLs), allowing unauthorized users to access functionality that should be restricted. Specifically, the flaw means that certain functions within the Appointment Booking Calendar can be invoked without proper authorization checks, potentially enabling attackers to perform actions or access data beyond their privileges. Since the product is a web-based appointment scheduling tool, this could include unauthorized viewing, modification, or deletion of booking information or administrative functions. The vulnerability does not require user interaction or authentication to exploit, increasing its risk profile. No known exploits are currently reported in the wild, and no patches have been published yet. The issue was publicly disclosed on April 22, 2025, and has been enriched with CISA data, indicating recognition by US cybersecurity authorities. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

For European organizations using the codepeople Appointment Booking Calendar, this vulnerability could lead to unauthorized access to sensitive scheduling data, including personal information of clients or employees, appointment details, and potentially internal operational data. This breach of confidentiality could violate GDPR regulations, leading to legal and financial repercussions. Integrity of booking data could be compromised, allowing attackers to alter or cancel appointments, disrupting business operations and customer trust. Availability might also be affected if attackers exploit the vulnerability to disrupt the calendar service. Sectors heavily reliant on appointment scheduling, such as healthcare, legal services, and public administration, could face significant operational impacts. The medium severity rating suggests a moderate risk, but the absence of authentication requirements and the potential for unauthorized access elevate concerns. The impact is heightened in environments where the Appointment Booking Calendar integrates with other critical systems or contains sensitive personal data.

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting access to the Appointment Booking Calendar application via network segmentation and firewall rules, limiting exposure to trusted internal networks only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the vulnerable functions. Conduct thorough access reviews to ensure that only necessary personnel have permissions related to the calendar system. Monitor logs for unusual access patterns or attempts to invoke restricted functions. If feasible, temporarily disable or restrict the vulnerable functionalities until a patch is available. Organizations should engage with codepeople to obtain timelines for patches and apply them promptly once released. Additionally, educating users and administrators about the risk and signs of exploitation can aid early detection. Regular backups of appointment data should be maintained to enable recovery in case of data tampering or loss.