Search criteria
19 vulnerabilities by Koha
CVE-2025-30076 (GCVE-0-2025-30076)
Vulnerability from cvelistv5 – Published: 2025-03-16 00:00 – Updated: 2025-03-17 15:52
VLAI?
Summary
Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter.
Severity ?
7.7 (High)
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-30076",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T15:52:12.983540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T15:52:17.570Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gl0wyy/koha-task-scheduler-rce"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "Koha",
"vendor": "Koha",
"versions": [
{
"lessThan": "22.11.24",
"status": "affected",
"version": "0",
"versionType": "custom"
},
{
"lessThan": "23.11.12",
"status": "affected",
"version": "23",
"versionType": "custom"
},
{
"lessThan": "24.05.07",
"status": "affected",
"version": "24",
"versionType": "custom"
},
{
"lessThan": "24.11.02",
"status": "affected",
"version": "24.06",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*",
"versionEndExcluding": "22.11.24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*",
"versionEndExcluding": "23.11.12",
"versionStartIncluding": "23",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*",
"versionEndExcluding": "24.05.07",
"versionStartIncluding": "24",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*",
"versionEndExcluding": "24.11.02",
"versionStartIncluding": "24.06",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78 Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-16T02:37:40.294Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://github.com/gl0wyy/koha-task-scheduler-rce"
},
{
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39170"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-30076",
"datePublished": "2025-03-16T00:00:00.000Z",
"dateReserved": "2025-03-16T00:00:00.000Z",
"dateUpdated": "2025-03-17T15:52:17.570Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22954 (GCVE-0-2025-22954)
Vulnerability from cvelistv5 – Published: 2025-03-12 00:00 – Updated: 2025-03-18 13:15
VLAI?
Summary
GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter.
Severity ?
10 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22954",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-18T13:15:29.271346Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-18T13:15:54.560Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Koha",
"vendor": "Koha",
"versions": [
{
"lessThan": "24.11.02",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*",
"versionEndExcluding": "24.11.02",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 10,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-13T03:22:11.330Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=38829"
},
{
"url": "https://koha-community.org/koha-24-11-02-released/"
}
],
"x_generator": {
"engine": "enrichogram 0.0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2025-22954",
"datePublished": "2025-03-12T00:00:00.000Z",
"dateReserved": "2025-01-09T00:00:00.000Z",
"dateUpdated": "2025-03-18T13:15:54.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28739 (GCVE-0-2024-28739)
Vulnerability from cvelistv5 – Published: 2024-08-06 00:00 – Updated: 2024-08-06 20:54
VLAI?
Summary
An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.
Severity ?
9.6 (Critical)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "koha",
"vendor": "koha",
"versions": [
{
"lessThanOrEqual": "23.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.6,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28739",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T20:53:58.370756Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T20:54:07.974Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T18:47:14.231319",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://febin0x4e4a.wordpress.com/2024/03/07/xss-to-one-click-rce-in-koha-ils/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-28739",
"datePublished": "2024-08-06T00:00:00",
"dateReserved": "2024-03-08T00:00:00",
"dateUpdated": "2024-08-06T20:54:07.974Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-28740 (GCVE-0-2024-28740)
Vulnerability from cvelistv5 – Published: 2024-08-06 00:00 – Updated: 2024-08-21 17:34
VLAI?
Summary
Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component.
Severity ?
6.1 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "koha",
"vendor": "koha",
"versions": [
{
"lessThanOrEqual": "23.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-28740",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-21T17:34:03.034235Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-21T17:34:11.794Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T18:50:03.372423",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://febin0x4e4a.wordpress.com/2023/01/11/xss-vulnerability-in-koha-integrated-library-system/"
},
{
"url": "https://febin0x4e4a.wordpress.com/2024/03/07/xss-to-one-click-rce-in-koha-ils/"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-28740",
"datePublished": "2024-08-06T00:00:00",
"dateReserved": "2024-03-08T00:00:00",
"dateUpdated": "2024-08-21T17:34:11.794Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-24337 (GCVE-0-2024-24337)
Vulnerability from cvelistv5 – Published: 2024-02-12 00:00 – Updated: 2025-09-29 14:22
VLAI?
Summary
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
Severity ?
8.8 (High)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T23:19:52.558Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://nitipoom-jar.github.io/CVE-2024-24337/"
}
],
"title": "CVE Program Container"
},
{
"affected": [
{
"cpes": [
"cpe:2.3:a:koha-community:koha_library_software:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "koha_library_software",
"vendor": "koha-community",
"versions": [
{
"lessThanOrEqual": "23.05.05",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-24337",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-26T18:28:30.058045Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-26T18:33:32.019Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CSV Injection vulnerability in \u0027/members/moremember.pl\u0027 and \u0027/admin/aqbudgets.pl\u0027 endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the \u0027Budget\u0027 and \u0027Patrons Member\u0027 components."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-29T14:22:32.206Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "https://nitipoom-jar.github.io/CVE-2024-24337/"
},
{
"url": "https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-24337"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-24337",
"datePublished": "2024-02-12T00:00:00.000Z",
"dateReserved": "2024-01-25T00:00:00.000Z",
"dateUpdated": "2025-09-29T14:22:32.206Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-5025 (GCVE-0-2023-5025)
Vulnerability from cvelistv5 – Published: 2023-09-17 07:00 – Updated: 2024-08-02 07:44
VLAI?
Title
KOHA MARC search.pl cross site scripting
Summary
A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239866 is the identifier assigned to this vulnerability.
Severity ?
CWE
- CWE-79 - Cross Site Scripting
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Angel Metz
ph03n1xsp (VulDB User)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:44:53.733Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description",
"x_transferred"
],
"url": "https://vuldb.com/?id.239866"
},
{
"tags": [
"signature",
"permissions-required",
"x_transferred"
],
"url": "https://vuldb.com/?ctiid.239866"
},
{
"tags": [
"media-coverage",
"x_transferred"
],
"url": "https://www.youtube.com/watch?v=b5107YkpgaM"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"modules": [
"MARC"
],
"product": "KOHA",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "23.05.03"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Angel Metz"
},
{
"lang": "en",
"type": "analyst",
"value": "ph03n1xsp (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-239866 is the identifier assigned to this vulnerability."
},
{
"lang": "de",
"value": "In KOHA bis 23.05.03 wurde eine Schwachstelle ausgemacht. Sie wurde als problematisch eingestuft. Das betrifft eine unbekannte Funktionalit\u00e4t der Datei /cgi-bin/koha/catalogue/search.pl der Komponente MARC. Dank der Manipulation mit unbekannten Daten kann eine cross site scripting-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk angegangen werden. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T19:09:41.254Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/?id.239866"
},
{
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/?ctiid.239866"
},
{
"tags": [
"media-coverage"
],
"url": "https://www.youtube.com/watch?v=b5107YkpgaM"
}
],
"timeline": [
{
"lang": "en",
"time": "2023-09-16T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2023-09-16T00:00:00.000Z",
"value": "CVE reserved"
},
{
"lang": "en",
"time": "2023-09-16T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2023-10-12T14:58:51.000Z",
"value": "VulDB entry last update"
},
{
"lang": "en",
"time": "2023-12-09T00:00:00.000Z",
"value": "Vendor informed"
},
{
"lang": "en",
"time": "2023-12-09T00:00:00.000Z",
"value": "Vendor acknowledged"
}
],
"title": "KOHA MARC search.pl cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2023-5025",
"datePublished": "2023-09-17T07:00:07.258Z",
"dateReserved": "2023-09-16T08:19:19.064Z",
"dateUpdated": "2024-08-02T07:44:53.733Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1925 (GCVE-0-2014-1925)
Vulnerability from cvelistv5 – Published: 2020-01-24 16:42 – Updated: 2024-08-06 09:58
VLAI?
Summary
SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.638Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-24T16:42:51",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1925",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://koha-community.org/security-release-february-2014/",
"refsource": "MISC",
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/07/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/10/3",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666",
"refsource": "MISC",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1925",
"datePublished": "2020-01-24T16:42:51",
"dateReserved": "2014-02-09T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.638Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1924 (GCVE-0-2014-1924)
Vulnerability from cvelistv5 – Published: 2020-01-24 16:42 – Updated: 2024-08-06 09:58
VLAI?
Summary
The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.560Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-24T16:42:48",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1924",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://koha-community.org/security-release-february-2014/",
"refsource": "MISC",
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/07/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/10/3",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666",
"refsource": "MISC",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1924",
"datePublished": "2020-01-24T16:42:48",
"dateReserved": "2014-02-09T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.560Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1922 (GCVE-0-2014-1922)
Vulnerability from cvelistv5 – Published: 2020-01-24 16:42 – Updated: 2024-08-06 09:58
VLAI?
Summary
Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.663Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-24T16:42:45",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1922",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660",
"refsource": "MISC",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660"
},
{
"name": "http://koha-community.org/security-release-february-2014/",
"refsource": "MISC",
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/07/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/10/3",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1922",
"datePublished": "2020-01-24T16:42:45",
"dateReserved": "2014-02-09T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.663Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-1923 (GCVE-0-2014-1923)
Vulnerability from cvelistv5 – Published: 2020-01-24 16:42 – Updated: 2024-08-06 09:58
VLAI?
Summary
Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T09:58:15.695Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2014-02-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2020-01-24T16:42:42",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-1923",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://koha-community.org/security-release-february-2014/",
"refsource": "MISC",
"url": "http://koha-community.org/security-release-february-2014/"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/07/10",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/07/10"
},
{
"name": "http://www.openwall.com/lists/oss-security/2014/02/10/3",
"refsource": "MISC",
"url": "http://www.openwall.com/lists/oss-security/2014/02/10/3"
},
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661",
"refsource": "MISC",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661"
},
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662",
"refsource": "MISC",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11662"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-1923",
"datePublished": "2020-01-24T16:42:42",
"dateReserved": "2014-02-09T00:00:00",
"dateUpdated": "2024-08-06T09:58:15.695Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4631 (GCVE-0-2015-4631)
Vulnerability from cvelistv5 – Published: 2018-10-18 20:00 – Updated: 2024-08-06 06:18
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.212Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4631",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418"
},
{
"name": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/",
"refsource": "MISC",
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"name": "https://koha-community.org/security-release-koha-3-16-12/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"name": "https://koha-community.org/security-release-koha-3-18-8/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"name": "https://koha-community.org/security-release-koha-3-20-1/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416"
},
{
"name": "https://koha-community.org/koha-3-14-16-released/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/koha-3-14-16-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4631",
"datePublished": "2018-10-18T20:00:00",
"dateReserved": "2015-06-16T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.212Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4632 (GCVE-0-2015-4632)
Vulnerability from cvelistv5 – Published: 2018-10-18 20:00 – Updated: 2024-08-06 06:18
VLAI?
Summary
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.033Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "37388",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37388/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "37388",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37388/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4632",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"name": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/",
"refsource": "MISC",
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14408"
},
{
"name": "https://koha-community.org/security-release-koha-3-16-12/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"name": "https://koha-community.org/security-release-koha-3-18-8/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"name": "https://koha-community.org/security-release-koha-3-20-1/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "37388",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37388/"
},
{
"name": "https://koha-community.org/koha-3-14-16-released/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/koha-3-14-16-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4632",
"datePublished": "2018-10-18T20:00:00",
"dateReserved": "2015-06-16T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4633 (GCVE-0-2015-4633)
Vulnerability from cvelistv5 – Published: 2018-10-18 20:00 – Updated: 2024-08-06 06:18
VLAI?
Summary
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.102Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "37387",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37387/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "37387",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37387/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4633",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14426"
},
{
"name": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14412"
},
{
"name": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/",
"refsource": "MISC",
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "https://koha-community.org/security-release-koha-3-16-12/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "37387",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37387/"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"name": "https://koha-community.org/security-release-koha-3-18-8/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"name": "https://koha-community.org/security-release-koha-3-20-1/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "https://koha-community.org/koha-3-14-16-released/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/koha-3-14-16-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4633",
"datePublished": "2018-10-18T20:00:00",
"dateReserved": "2015-06-16T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.102Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4630 (GCVE-0-2015-4630)
Vulnerability from cvelistv5 – Published: 2018-10-18 20:00 – Updated: 2024-08-06 06:18
VLAI?
Summary
Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.057Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC",
"x_transferred"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-25T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"tags": [
"mailing-list",
"x_refsource_FULLDISC"
],
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4630",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html",
"refsource": "MISC",
"url": "https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html"
},
{
"name": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/",
"refsource": "MISC",
"url": "https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/"
},
{
"name": "37389",
"refsource": "EXPLOIT-DB",
"url": "https://www.exploit-db.com/exploits/37389/"
},
{
"name": "https://koha-community.org/security-release-koha-3-16-12/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423"
},
{
"name": "20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS",
"refsource": "FULLDISC",
"url": "https://seclists.org/fulldisclosure/2015/Jun/80"
},
{
"name": "https://koha-community.org/security-release-koha-3-18-8/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-18-8/"
},
{
"name": "https://koha-community.org/security-release-koha-3-20-1/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "https://koha-community.org/koha-3-14-16-released/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/koha-3-14-16-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4630",
"datePublished": "2018-10-18T20:00:00",
"dateReserved": "2015-06-16T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.057Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000669 (GCVE-0-2018-1000669)
Vulnerability from cvelistv5 – Published: 2018-09-06 19:00 – Updated: 2024-09-16 23:46
VLAI?
Summary
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.838Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-06T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-09-03T16:07:16.979484",
"DATE_REQUESTED": "2018-08-24T17:46:09",
"ID": "CVE-2018-1000669",
"REQUESTER": "jiakyooi95@hotmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000669",
"datePublished": "2018-09-06T19:00:00Z",
"dateReserved": "2018-09-06T00:00:00Z",
"dateUpdated": "2024-09-16T23:46:44.626Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2018-1000670 (GCVE-0-2018-1000670)
Vulnerability from cvelistv5 – Published: 2018-09-06 19:00 – Updated: 2024-09-16 16:18
VLAI?
Summary
KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T12:40:47.953Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"dateAssigned": "2018-09-03T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-09-06T19:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"DATE_ASSIGNED": "2018-09-03T16:07:16.980429",
"DATE_REQUESTED": "2018-08-24T17:52:47",
"ID": "CVE-2018-1000670",
"REQUESTER": "jiakyooi95@hotmail.com",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086",
"refsource": "CONFIRM",
"url": "https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19086"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2018-1000670",
"datePublished": "2018-09-06T19:00:00Z",
"dateReserved": "2018-09-06T00:00:00Z",
"dateUpdated": "2024-09-16T16:18:56.437Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2015-4639 (GCVE-0-2015-4639)
Vulnerability from cvelistv5 – Published: 2017-07-21 14:00 – Updated: 2024-08-06 06:18
VLAI?
Summary
Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T06:18:12.093Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2015-06-19T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2018-10-18T19:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://koha-community.org/koha-3-14-16-released/"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-4639",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4",
"refsource": "CONFIRM",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4"
},
{
"name": "https://koha-community.org/security-release-koha-3-16-12/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-16-12/"
},
{
"name": "https://koha-community.org/security-release-koha-3-20-1/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/security-release-koha-3-20-1/"
},
{
"name": "https://koha-community.org/koha-3-14-16-released/",
"refsource": "CONFIRM",
"url": "https://koha-community.org/koha-3-14-16-released/"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-4639",
"datePublished": "2017-07-21T14:00:00",
"dateReserved": "2015-06-16T00:00:00",
"dateUpdated": "2024-08-06T06:18:12.093Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2014-9446 (GCVE-0-2014-9446)
Vulnerability from cvelistv5 – Published: 2015-01-02 20:00 – Updated: 2024-09-16 18:54
VLAI?
Summary
Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T13:47:41.022Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://koha-community.org/koha-3-16-6-release/"
},
{
"name": "71803",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/71803"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://koha-community.org/koha-3-18-2-release/"
},
{
"name": "61187",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/61187"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2015-01-02T20:00:00Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://koha-community.org/koha-3-16-6-release/"
},
{
"name": "71803",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/71803"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://koha-community.org/koha-3-18-2-release/"
},
{
"name": "61187",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/61187"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2014-9446",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://koha-community.org/koha-3-16-6-release/",
"refsource": "CONFIRM",
"url": "http://koha-community.org/koha-3-16-6-release/"
},
{
"name": "71803",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/71803"
},
{
"name": "http://koha-community.org/koha-3-18-2-release/",
"refsource": "CONFIRM",
"url": "http://koha-community.org/koha-3-18-2-release/"
},
{
"name": "61187",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/61187"
},
{
"name": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425",
"refsource": "CONFIRM",
"url": "http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2014-9446",
"datePublished": "2015-01-02T20:00:00Z",
"dateReserved": "2015-01-02T00:00:00Z",
"dateUpdated": "2024-09-16T18:54:07.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2011-4715 (GCVE-0-2011-4715)
Vulnerability from cvelistv5 – Published: 2011-12-08 19:00 – Updated: 2024-08-07 00:16
VLAI?
Summary
Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related to Output.pm.
Severity ?
No CVSS data available.
CWE
- n/a
Assigner
References
| URL | Tags | ||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-07T00:16:34.139Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "50812",
"tags": [
"vdb-entry",
"x_refsource_BID",
"x_transferred"
],
"url": "http://www.securityfocus.com/bid/50812"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://koha-community.org/koha-3-6-1/#more-2929"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://www.vigasis.com/en/?guncel_guvenlik=LibLime%20Koha%20%3C=%204.2%20Local%20File%20Inclusion%20Vulnerability\u0026lnk=exploits/18153"
},
{
"name": "18153",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB",
"x_transferred"
],
"url": "http://www.exploit-db.com/exploits/18153"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "http://koha-community.org/koha-3-4-7/#more-2971"
},
{
"name": "77322",
"tags": [
"vdb-entry",
"x_refsource_OSVDB",
"x_transferred"
],
"url": "http://osvdb.org/77322"
},
{
"name": "46980",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA",
"x_transferred"
],
"url": "http://secunia.com/advisories/46980"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/liblime/LibLime-Koha/commit/8ea6f7bc37d05a9ec25b5afbea011cf9de5f1e49#C4/Output.pm"
},
{
"name": "liblimekoha-opacmain-file-include(71478)",
"tags": [
"vdb-entry",
"x_refsource_XF",
"x_transferred"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71478"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2011-11-24T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related to Output.pm."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-08-28T12:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"name": "50812",
"tags": [
"vdb-entry",
"x_refsource_BID"
],
"url": "http://www.securityfocus.com/bid/50812"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://koha-community.org/koha-3-6-1/#more-2929"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://www.vigasis.com/en/?guncel_guvenlik=LibLime%20Koha%20%3C=%204.2%20Local%20File%20Inclusion%20Vulnerability\u0026lnk=exploits/18153"
},
{
"name": "18153",
"tags": [
"exploit",
"x_refsource_EXPLOIT-DB"
],
"url": "http://www.exploit-db.com/exploits/18153"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "http://koha-community.org/koha-3-4-7/#more-2971"
},
{
"name": "77322",
"tags": [
"vdb-entry",
"x_refsource_OSVDB"
],
"url": "http://osvdb.org/77322"
},
{
"name": "46980",
"tags": [
"third-party-advisory",
"x_refsource_SECUNIA"
],
"url": "http://secunia.com/advisories/46980"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/liblime/LibLime-Koha/commit/8ea6f7bc37d05a9ec25b5afbea011cf9de5f1e49#C4/Output.pm"
},
{
"name": "liblimekoha-opacmain-file-include(71478)",
"tags": [
"vdb-entry",
"x_refsource_XF"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71478"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2011-4715",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related to Output.pm."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "50812",
"refsource": "BID",
"url": "http://www.securityfocus.com/bid/50812"
},
{
"name": "http://koha-community.org/koha-3-6-1/#more-2929",
"refsource": "CONFIRM",
"url": "http://koha-community.org/koha-3-6-1/#more-2929"
},
{
"name": "http://www.vigasis.com/en/?guncel_guvenlik=LibLime%20Koha%20%3C=%204.2%20Local%20File%20Inclusion%20Vulnerability\u0026lnk=exploits/18153",
"refsource": "MISC",
"url": "http://www.vigasis.com/en/?guncel_guvenlik=LibLime%20Koha%20%3C=%204.2%20Local%20File%20Inclusion%20Vulnerability\u0026lnk=exploits/18153"
},
{
"name": "18153",
"refsource": "EXPLOIT-DB",
"url": "http://www.exploit-db.com/exploits/18153"
},
{
"name": "http://koha-community.org/koha-3-4-7/#more-2971",
"refsource": "CONFIRM",
"url": "http://koha-community.org/koha-3-4-7/#more-2971"
},
{
"name": "77322",
"refsource": "OSVDB",
"url": "http://osvdb.org/77322"
},
{
"name": "46980",
"refsource": "SECUNIA",
"url": "http://secunia.com/advisories/46980"
},
{
"name": "https://github.com/liblime/LibLime-Koha/commit/8ea6f7bc37d05a9ec25b5afbea011cf9de5f1e49#C4/Output.pm",
"refsource": "CONFIRM",
"url": "https://github.com/liblime/LibLime-Koha/commit/8ea6f7bc37d05a9ec25b5afbea011cf9de5f1e49#C4/Output.pm"
},
{
"name": "liblimekoha-opacmain-file-include(71478)",
"refsource": "XF",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/71478"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2011-4715",
"datePublished": "2011-12-08T19:00:00",
"dateReserved": "2011-12-08T00:00:00",
"dateUpdated": "2024-08-07T00:16:34.139Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}