CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30076
https://notcve.org/view.php?id=CVE-2025-30076
16 Mar 2025 — Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. • https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39170 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-22954 – Koha SQL Injection
https://notcve.org/view.php?id=CVE-2025-22954
12 Mar 2025 — Koha <= 21.11 is contains a SQL Injection vulnerability in /serials/lateissues-export.pl via the supplierid parameter. GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. Koha versions prior to 24.11.02 suffer from a remote SQL injection vulnerability in C4/Serials.pm. • https://packetstorm.news/files/id/189922 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5025 – KOHA MARC search.pl cross site scripting
https://notcve.org/view.php?id=CVE-2023-5025
17 Sep 2023 — A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. • https://vuldb.com/?ctiid.239866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 36EXPL: 0CVE-2015-4639
https://notcve.org/view.php?id=CVE-2015-4639
21 Jul 2017 — Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name. Hay una vulnerabilidad de tipo Cross-Site Scripting (XSS) en la biblioteca opac-addbybiblionumber.pl en Koha versión 3.14.x anterior a 3.14.16, versión 3.16.x anterior a 3.16.12 y versión 3.20.x anterior a 3.20.1, permite a los atacantes remotos inyectar script web o HTML ar... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 5CVE-2015-4630 – Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-4630
26 Jun 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via th... • https://packetstorm.news/files/id/132458 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 7CVE-2015-4631 – Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-4631
26 Jun 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the... • https://packetstorm.news/files/id/132458 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 83%CPEs: 4EXPL: 3CVE-2015-4632 – Koha 3.20.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-4632
26 Jun 2015 — Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.14.x anteriores a la 3.14.16, versiones 3.16.x anteriores a la 3.16.12, versiones 3.18.x anteriores a la 3.18.08 ... • https://packetstorm.news/files/id/132458 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 7CVE-2015-4633 – Koha 3.20.1 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2015-4633
26 Jun 2015 — Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.... • https://packetstorm.news/files/id/132458 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9446
https://notcve.org/view.php?id=CVE-2014-9446
02 Jan 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl. Múltiples vulnerabilidades de XSS en el client Staff en Koha anterior a 3.16.6 y 3.18.x anterior a 3.18.2 permiten a atacantes remotos inyecdtar secuencias de comandos web o HTML arbitrarios a través del parámet... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •