External risk intelligence

Doctor's Appointment System 1.0 Broken Access Control Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2022-36202

This is a web application designed to manage appointments, which is a role typically deployed as a public-facing web service accessible over the internet to allow patients or users to schedule bookings.

Doctor\'s Appointment System Project Doctor\'s Appointment System

1.0

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in the Doctor's Appointment System software that could allow unauthorized access to sensitive patient information. This issue stems from a flaw in how the system controls access to user settings, potentially exposing patient data and system functionalities to anyone who can reach the affected web address.

  • Unauthorized access to patient records.
  • Critical flaw affects sensitive data.
  • Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could begin by accessing the Doctor's Appointment System from the internet. They would then navigate to the patient settings page and manipulate the 'id' parameter to access or modify another patient's data. This broken access control vulnerability could allow an attacker to gain full control over patient information.

  • No authentication is required for access.
  • An attacker can change the 'id' parameter.
  • Leads to complete control over patient data.

Live Threat

Current exploitation, exposure, and threat context

The Doctor's Appointment System could expose sensitive patient and appointment data when accessed through its settings page. This vulnerability may allow unauthorized users to view or modify records by manipulating a specific parameter in the URL.

  • Patient and appointment data at risk.
  • Unauthorized access via IDOR.
  • Compromise of sensitive information.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in Doctor's Appointment System affects an application likely managed by the application owner or a dedicated web platform team. The first practical step is to locate all instances of this system, determine their internet-facing status and business criticality, and identify the accountable owner before planning remediation.

  • Application owner must address the issue.
  • Verify system reachability and criticality first.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is the Doctor's Appointment System?

Doctor's Appointment System is a web-based application designed to help clinics or medical offices manage patient schedules and bookings. Because it acts as a digital interface for patients to view or set appointments, it is typically hosted as a web service to remain accessible to users.

What does CVE-2022-36202 mean?

This vulnerability is classified as CWE-639, or Authorization Bypass Through User-Controlled Key. In simple terms, the application fails to verify if a user has permission to view the data they are requesting. Because the system trusts the 'id' parameter in the URL without checking identity, it allows unauthorized access to sensitive patient profiles.

How does an attacker trigger this vulnerability?

An attacker triggers this flaw by accessing the settings page and modifying the 'id' parameter directly in the web browser's address bar. It is important to note that this does not require a complex exploit script or specialized hacking tools; simply changing the numerical value of that parameter to another patient's identifier is sufficient to access data that should be private.

Is my system at risk?

According to Halo Surface Signal, this software is often deployed as a public-facing web service, which significantly increases risk. If your instance is reachable over the internet, it is likely exposed to anyone who can navigate to the application URL, as the vulnerability does not require authentication to access the affected settings page.

What should I do if I run this software?

Your first step is to perform an inventory of all systems to identify where this application is installed. Once located, verify if the system is accessible from the internet and determine its business importance. Work with the system owner to restrict access or coordinate with your technical team to plan for remediation to prevent unauthorized data exposure.

References