Default account creation on all installation methods in alextselegidis/easyappointments


Reported on

Feb 6th 2023


The credentials of the administrator user (console installation) are set by default. Additionally in both the console installation and the gui installation a janedoe account is created with default credentials.


An attacker could exploit this vulnerability by remotely Logging in into an affected system by using the Default Credentials.

We are processing your report and will contact the alextselegidis/easyappointments team within 24 hours. 10 months ago
We have contacted a member of the alextselegidis/easyappointments team and are waiting to hear back 10 months ago
Alex Tselegidis
9 months ago



Thanks for submitting this.

I've updated the seeders to provide custom passwords wherever there is no UI input for them.

Alex Tselegidis validated this vulnerability 9 months ago
pedrojosenavasperez has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Alex Tselegidis marked this as fixed in 1.5.0 with commit 2731d2 9 months ago
Alex Tselegidis has been awarded the fix bounty
This vulnerability has been assigned a CVE
Alex Tselegidis published this vulnerability 9 months ago
to join this conversation