CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28740
https://notcve.org/view.php?id=CVE-2024-28740
06 Aug 2024 — Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component. • https://febin0x4e4a.wordpress.com/2023/01/11/xss-vulnerability-in-koha-integrated-library-system • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.6EPSS: 0%CPEs: 1EXPL: 0CVE-2024-28739
https://notcve.org/view.php?id=CVE-2024-28739
06 Aug 2024 — An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter. • https://febin0x4e4a.wordpress.com/2024/03/07/xss-to-one-click-rce-in-koha-ils • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24336
https://notcve.org/view.php?id=CVE-2024-24336
19 Mar 2024 — A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. • https://github.com/nitipoom-jar/CVE-2024-24336 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-24337
https://notcve.org/view.php?id=CVE-2024-24337
12 Feb 2024 — CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. Vulnerabilidad de inyección CSV en los endpoints '/members/moremember.pl' y '/admin/aqbudgets.pl' en Koha Library Management System versión 23.05.05 y anteriores permite a los atacantes inyectar comandos DDE en exportaciones csv a través de los co... • https://github.com/nitipoom-jar/CVE-2024-24337 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44961
https://notcve.org/view.php?id=CVE-2023-44961
11 Oct 2023 — SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component. Vulnerabilidad de inyección SQL en Koha Library Software 23.0.5.04 y anteriores permite a un atacante remoto obtener información confidencial a través del componente intranet/cgi bin/cataloging/ysearch.pl. • https://github.com/ggb0n/CVE-2023-44961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44962
https://notcve.org/view.php?id=CVE-2023-44962
11 Oct 2023 — File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component. Vulnerabilidad de carga de archivos en Koha Library Software 23.05.04 y anteriores permite a un atacante remoto leer archivos arbitrarios a través del componente upload-cover-image.pl. • https://github.com/ggb0n/CVE-2023-44962 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5025 – KOHA MARC search.pl cross site scripting
https://notcve.org/view.php?id=CVE-2023-5025
17 Sep 2023 — A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. • https://vuldb.com/?ctiid.239866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 4EXPL: 1CVE-2014-1925
https://notcve.org/view.php?id=CVE-2014-1925
24 Jan 2020 — SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. Una vulnerabilidad de inyección SQL en la función MARC framework import/export (archivo admin/import_export_framework.pl) en Koha versiones anterior... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 1%CPEs: 4EXPL: 1CVE-2014-1924
https://notcve.org/view.php?id=CVE-2014-1924
24 Jan 2020 — The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. La función MARC framework import/export (archivo admin/import_export_framework.pl) en Koha versiones anteriores a 3.8.23, versiones 3.10.x anteriores a 3.10.13, versiones 3.12.x anteriores a 3.12.10 y versiones 3.14.x an... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2014-1922
https://notcve.org/view.php?id=CVE-2014-1922
24 Jan 2020 — Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de salto de ruta en el archivo tools/pdfViewer.pl en Koha versiones anteriores a 3.8.23, versiones 3.10.x anteriores a 3.10.13, versiones 3.12.x anteriores a 3.12.10 y versiones 3.14.x anteriores a 3.14.3, permite a atacantes remotos leer archivos arbitrarios por me... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •