CVE-2015-4631
N/A
Summary
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| n/a | n/a | n/a | affected |
Weaknesses
- n/a
ADP Enrichment
CVE Program Container
Additional References
- https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
- https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
- https://www.exploit-db.com/exploits/37389/
- https://koha-community.org/security-release-koha-3-16-12/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
- https://seclists.org/fulldisclosure/2015/Jun/80
- https://koha-community.org/security-release-koha-3-18-8/
- https://koha-community.org/security-release-koha-3-20-1/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
- https://koha-community.org/koha-3-14-16-released/
References
- https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
- https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
- https://www.exploit-db.com/exploits/37389/
- https://koha-community.org/security-release-koha-3-16-12/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
- https://seclists.org/fulldisclosure/2015/Jun/80
- https://koha-community.org/security-release-koha-3-18-8/
- https://koha-community.org/security-release-koha-3-20-1/
- https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
- https://koha-community.org/koha-3-14-16-released/
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.