CVE-2025-46247: CWE-862 Missing Authorization in codepeople Appointment Booking Calendar
Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.
AI Analysis
Technical Summary
CVE-2025-46247 is a Missing Authorization vulnerability (CWE-862) identified in the codepeople Appointment Booking Calendar software, affecting versions up to 1.3.92. This vulnerability arises due to insufficient enforcement of Access Control Lists (ACLs), allowing unauthorized users to access functionality that should be restricted. Specifically, the flaw means that certain functions within the Appointment Booking Calendar can be invoked without proper authorization checks, potentially enabling attackers to perform actions or access data beyond their privileges. Since the product is a web-based appointment scheduling tool, this could include unauthorized viewing, modification, or deletion of booking information or administrative functions. The vulnerability does not require user interaction or authentication to exploit, increasing its risk profile. No known exploits are currently reported in the wild, and no patches have been published yet. The issue was publicly disclosed on April 22, 2025, and has been enriched with CISA data, indicating recognition by US cybersecurity authorities. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.
Potential Impact
For European organizations using the codepeople Appointment Booking Calendar, this vulnerability could lead to unauthorized access to sensitive scheduling data, including personal information of clients or employees, appointment details, and potentially internal operational data. This breach of confidentiality could violate GDPR regulations, leading to legal and financial repercussions. Integrity of booking data could be compromised, allowing attackers to alter or cancel appointments, disrupting business operations and customer trust. Availability might also be affected if attackers exploit the vulnerability to disrupt the calendar service. Sectors heavily reliant on appointment scheduling, such as healthcare, legal services, and public administration, could face significant operational impacts. The medium severity rating suggests a moderate risk, but the absence of authentication requirements and the potential for unauthorized access elevate concerns. The impact is heightened in environments where the Appointment Booking Calendar integrates with other critical systems or contains sensitive personal data.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting access to the Appointment Booking Calendar application via network segmentation and firewall rules, limiting exposure to trusted internal networks only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the vulnerable functions. Conduct thorough access reviews to ensure that only necessary personnel have permissions related to the calendar system. Monitor logs for unusual access patterns or attempts to invoke restricted functions. If feasible, temporarily disable or restrict the vulnerable functionalities until a patch is available. Organizations should engage with codepeople to obtain timelines for patches and apply them promptly once released. Additionally, educating users and administrators about the risk and signs of exploitation can aid early detection. Regular backups of appointment data should be maintained to enable recovery in case of data tampering or loss.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Belgium, Sweden, Poland, Austria
CVE-2025-46247: CWE-862 Missing Authorization in codepeople Appointment Booking Calendar
Description
Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.
AI-Powered Analysis
Technical Analysis
CVE-2025-46247 is a Missing Authorization vulnerability (CWE-862) identified in the codepeople Appointment Booking Calendar software, affecting versions up to 1.3.92. This vulnerability arises due to insufficient enforcement of Access Control Lists (ACLs), allowing unauthorized users to access functionality that should be restricted. Specifically, the flaw means that certain functions within the Appointment Booking Calendar can be invoked without proper authorization checks, potentially enabling attackers to perform actions or access data beyond their privileges. Since the product is a web-based appointment scheduling tool, this could include unauthorized viewing, modification, or deletion of booking information or administrative functions. The vulnerability does not require user interaction or authentication to exploit, increasing its risk profile. No known exploits are currently reported in the wild, and no patches have been published yet. The issue was publicly disclosed on April 22, 2025, and has been enriched with CISA data, indicating recognition by US cybersecurity authorities. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.
Potential Impact
For European organizations using the codepeople Appointment Booking Calendar, this vulnerability could lead to unauthorized access to sensitive scheduling data, including personal information of clients or employees, appointment details, and potentially internal operational data. This breach of confidentiality could violate GDPR regulations, leading to legal and financial repercussions. Integrity of booking data could be compromised, allowing attackers to alter or cancel appointments, disrupting business operations and customer trust. Availability might also be affected if attackers exploit the vulnerability to disrupt the calendar service. Sectors heavily reliant on appointment scheduling, such as healthcare, legal services, and public administration, could face significant operational impacts. The medium severity rating suggests a moderate risk, but the absence of authentication requirements and the potential for unauthorized access elevate concerns. The impact is heightened in environments where the Appointment Booking Calendar integrates with other critical systems or contains sensitive personal data.
Mitigation Recommendations
Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting access to the Appointment Booking Calendar application via network segmentation and firewall rules, limiting exposure to trusted internal networks only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the vulnerable functions. Conduct thorough access reviews to ensure that only necessary personnel have permissions related to the calendar system. Monitor logs for unusual access patterns or attempts to invoke restricted functions. If feasible, temporarily disable or restrict the vulnerable functionalities until a patch is available. Organizations should engage with codepeople to obtain timelines for patches and apply them promptly once released. Additionally, educating users and administrators about the risk and signs of exploitation can aid early detection. Regular backups of appointment data should be maintained to enable recovery in case of data tampering or loss.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Patchstack
- Date Reserved
- 2025-04-22T09:21:43.075Z
- Cisa Enriched
- true
Threat ID: 682d9849c4522896dcbf6dfe
Added to database: 5/21/2025, 9:09:29 AM
Last enriched: 6/21/2025, 8:24:52 PM
Last updated: 8/1/2025, 5:01:33 AM
Views: 15
Related Threats
CVE-2025-9104: Cross Site Scripting in Portabilis i-Diario
MediumCVE-2025-9102: Improper Export of Android Application Components in 1&1 Mail & Media mail.com App
MediumCVE-2025-9101: Cross Site Scripting in zhenfeng13 My-Blog
MediumCVE-2025-9100: Authentication Bypass by Capture-replay in zhenfeng13 My-Blog
MediumCVE-2025-9099: Unrestricted Upload in Acrel Environmental Monitoring Cloud Platform
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.