CVSS: 7.5EPSS: 83%CPEs: 4EXPL: 3CVE-2015-4632 – Koha 3.20.1 - Directory Traversal
https://notcve.org/view.php?id=CVE-2015-4632
26 Jun 2015 — Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.14.x anteriores a la 3.14.16, versiones 3.16.x anteriores a la 3.16.12, versiones 3.18.x anteriores a la 3.18.08 ... • https://packetstorm.news/files/id/132458 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 7CVE-2015-4633 – Koha 3.20.1 - Multiple SQL Injections
https://notcve.org/view.php?id=CVE-2015-4633
26 Jun 2015 — Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface. Múltiples vulnerabilidades Cross-Site Scripting (XSS) en Koha, en versiones 3.... • https://packetstorm.news/files/id/132458 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9446
https://notcve.org/view.php?id=CVE-2014-9446
02 Jan 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl. Múltiples vulnerabilidades de XSS en el client Staff en Koha anterior a 3.16.6 y 3.18.x anterior a 3.18.2 permiten a atacantes remotos inyecdtar secuencias de comandos web o HTML arbitrarios a través del parámet... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •