Required CVE Record Information
Description
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
References 11 Total
- https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
- https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
- exploit-db.com: 37389 exploit
- https://koha-community.org/security-release-koha-3-16-12/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
- seclists.org: 20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS mailing-list
- https://koha-community.org/security-release-koha-3-18-8/
- https://koha-community.org/security-release-koha-3-20-1/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
- https://koha-community.org/koha-3-14-16-released/
Updated:
This container includes required additional information provided by the CVE Program for this vulnerability.
References 11 Total
- https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html x_transferred
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 x_transferred
- https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/ x_transferred
- exploit-db.com: 37389 exploitx_transferred
- https://koha-community.org/security-release-koha-3-16-12/ x_transferred
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 x_transferred
- seclists.org: 20150625 SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILS mailing-listx_transferred
- https://koha-community.org/security-release-koha-3-18-8/ x_transferred
- https://koha-community.org/security-release-koha-3-20-1/ x_transferred
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 x_transferred
- https://koha-community.org/koha-3-14-16-released/ x_transferred