CVSS: 8.0EPSS: 0%CPEs: 4EXPL: 5CVE-2015-4630 – Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-4630
26 Jun 2015 — Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via th... • https://packetstorm.news/files/id/132458 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 5.4EPSS: 0%CPEs: 4EXPL: 7CVE-2015-4631 – Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-4631
26 Jun 2015 — Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the... • https://packetstorm.news/files/id/132458 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 83%CPEs: 4EXPL: 3CVE-2015-4632 – Koha 3.20.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-4632
26 Jun 2015 — Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.14.x anteriores a la 3.14.16, versiones 3.16.x anteriores a la 3.16.12, versiones 3.18.x anteriores a la 3.18.08 ... • https://packetstorm.news/files/id/132458 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 7CVE-2015-4633 – Koha 3.20.1 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2015-4633
26 Jun 2015 — Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.... • https://packetstorm.news/files/id/132458 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9446
https://notcve.org/view.php?id=CVE-2014-9446
02 Jan 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl. Múltiples vulnerabilidades de XSS en el client Staff en Koha anterior a 3.16.6 y 3.18.x anterior a 3.18.2 permiten a atacantes remotos inyecdtar secuencias de comandos web o HTML arbitrarios a través del parámet... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 23%CPEs: 9EXPL: 4CVE-2011-4715 – LibLime Koha 4.2 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2011-4715
08 Dec 2011 — Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related to Output.pm. Vulnerabilidad de salto de directorio en cgi-bin/koha/mainpage.pl en Koha v3.4 antes de v3.4.7 y v3.6 antes de v3.6.1, y LibLime Koha v4.2 y anteriores permite a atacantes remotos leer archivos de su elección a través de... • https://www.exploit-db.com/exploits/18153 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •