Skip to main content

CVE-2025-46247: CWE-862 Missing Authorization in codepeople Appointment Booking Calendar

Medium
Published: Tue Apr 22 2025 (04/22/2025, 09:53:31 UTC)
Source: CVE
Vendor/Project: codepeople
Product: Appointment Booking Calendar

Description

Missing Authorization vulnerability in codepeople Appointment Booking Calendar allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects Appointment Booking Calendar: from n/a through 1.3.92.

AI-Powered Analysis

AILast updated: 06/21/2025, 20:24:52 UTC

Technical Analysis

CVE-2025-46247 is a Missing Authorization vulnerability (CWE-862) identified in the codepeople Appointment Booking Calendar software, affecting versions up to 1.3.92. This vulnerability arises due to insufficient enforcement of Access Control Lists (ACLs), allowing unauthorized users to access functionality that should be restricted. Specifically, the flaw means that certain functions within the Appointment Booking Calendar can be invoked without proper authorization checks, potentially enabling attackers to perform actions or access data beyond their privileges. Since the product is a web-based appointment scheduling tool, this could include unauthorized viewing, modification, or deletion of booking information or administrative functions. The vulnerability does not require user interaction or authentication to exploit, increasing its risk profile. No known exploits are currently reported in the wild, and no patches have been published yet. The issue was publicly disclosed on April 22, 2025, and has been enriched with CISA data, indicating recognition by US cybersecurity authorities. The lack of a CVSS score necessitates an independent severity assessment based on the vulnerability's characteristics.

Potential Impact

For European organizations using the codepeople Appointment Booking Calendar, this vulnerability could lead to unauthorized access to sensitive scheduling data, including personal information of clients or employees, appointment details, and potentially internal operational data. This breach of confidentiality could violate GDPR regulations, leading to legal and financial repercussions. Integrity of booking data could be compromised, allowing attackers to alter or cancel appointments, disrupting business operations and customer trust. Availability might also be affected if attackers exploit the vulnerability to disrupt the calendar service. Sectors heavily reliant on appointment scheduling, such as healthcare, legal services, and public administration, could face significant operational impacts. The medium severity rating suggests a moderate risk, but the absence of authentication requirements and the potential for unauthorized access elevate concerns. The impact is heightened in environments where the Appointment Booking Calendar integrates with other critical systems or contains sensitive personal data.

Mitigation Recommendations

Given the absence of an official patch, European organizations should implement compensating controls immediately. These include restricting access to the Appointment Booking Calendar application via network segmentation and firewall rules, limiting exposure to trusted internal networks only. Employ web application firewalls (WAFs) with custom rules to detect and block unauthorized access attempts targeting the vulnerable functions. Conduct thorough access reviews to ensure that only necessary personnel have permissions related to the calendar system. Monitor logs for unusual access patterns or attempts to invoke restricted functions. If feasible, temporarily disable or restrict the vulnerable functionalities until a patch is available. Organizations should engage with codepeople to obtain timelines for patches and apply them promptly once released. Additionally, educating users and administrators about the risk and signs of exploitation can aid early detection. Regular backups of appointment data should be maintained to enable recovery in case of data tampering or loss.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Patchstack
Date Reserved
2025-04-22T09:21:43.075Z
Cisa Enriched
true

Threat ID: 682d9849c4522896dcbf6dfe

Added to database: 5/21/2025, 9:09:29 AM

Last enriched: 6/21/2025, 8:24:52 PM

Last updated: 8/1/2025, 5:01:33 AM

Views: 15

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats