CVSS: 7.7EPSS: 0%CPEs: 4EXPL: 0CVE-2025-30076
https://notcve.org/view.php?id=CVE-2025-30076
16 Mar 2025 — Koha before 24.11.02 allows admins to execute arbitrary commands via shell metacharacters in the tools/scheduler.pl report parameter. • https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=39170 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 2CVE-2025-22954 – Koha SQL Injection
https://notcve.org/view.php?id=CVE-2025-22954
12 Mar 2025 — Koha <= 21.11 is contains a SQL Injection vulnerability in /serials/lateissues-export.pl via the supplierid parameter. GetLateOrMissingIssues in C4/Serials.pm in Koha before 24.11.02 allows SQL Injection in /serials/lateissues-export.pl via the supplierid or serialid parameter. Koha versions prior to 24.11.02 suffer from a remote SQL injection vulnerability in C4/Serials.pm. • https://packetstorm.news/files/id/189922 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 1CVE-2023-5025 – KOHA MARC search.pl cross site scripting
https://notcve.org/view.php?id=CVE-2023-5025
17 Sep 2023 — A vulnerability was found in KOHA up to 23.05.03. It has been declared as problematic. This vulnerability affects unknown code of the file /cgi-bin/koha/catalogue/search.pl of the component MARC. The manipulation leads to cross site scripting. The attack can be initiated remotely. • https://vuldb.com/?ctiid.239866 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 2%CPEs: 4EXPL: 1CVE-2014-1925
https://notcve.org/view.php?id=CVE-2014-1925
24 Jan 2020 — SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors. NOTE: this can be leveraged by remote attackers using CVE-2014-1924. Una vulnerabilidad de inyección SQL en la función MARC framework import/export (archivo admin/import_export_framework.pl) en Koha versiones anterior... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 9.8EPSS: 4%CPEs: 4EXPL: 1CVE-2014-1924
https://notcve.org/view.php?id=CVE-2014-1924
24 Jan 2020 — The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors. La función MARC framework import/export (archivo admin/import_export_framework.pl) en Koha versiones anteriores a 3.8.23, versiones 3.10.x anteriores a 3.10.13, versiones 3.12.x anteriores a 3.12.10 y versiones 3.14.x an... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11666 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 1CVE-2014-1922
https://notcve.org/view.php?id=CVE-2014-1922
24 Jan 2020 — Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors. Una vulnerabilidad de salto de ruta en el archivo tools/pdfViewer.pl en Koha versiones anteriores a 3.8.23, versiones 3.10.x anteriores a 3.10.13, versiones 3.12.x anteriores a 3.12.10 y versiones 3.14.x anteriores a 3.14.3, permite a atacantes remotos leer archivos arbitrarios por me... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11660 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 7.5EPSS: 2%CPEs: 4EXPL: 1CVE-2014-1923
https://notcve.org/view.php?id=CVE-2014-1923
24 Jan 2020 — Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors. Múltiples vulnerabilidades de Salto de Directorio en el (1) editor de ayuda de la interfaz del personal (archivo edithelp.pl) o (2) el archivo member-picupload.pl en Koha versiones anteriores a 3.8.23, versiones 3.10.... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=11661 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.1EPSS: 0%CPEs: 3EXPL: 1CVE-2014-9446
https://notcve.org/view.php?id=CVE-2014-9446
02 Jan 2015 — Multiple cross-site scripting (XSS) vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sort_by parameter to the (1) opac parameter in opac-search.pl or (2) intranet parameter in catalogue/search.pl. Múltiples vulnerabilidades de XSS en el client Staff en Koha anterior a 3.16.6 y 3.18.x anterior a 3.18.2 permiten a atacantes remotos inyecdtar secuencias de comandos web o HTML arbitrarios a través del parámet... • http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=13425 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 23%CPEs: 9EXPL: 4CVE-2011-4715 – LibLime Koha 4.2 - Local File Inclusion
https://notcve.org/view.php?id=CVE-2011-4715
08 Dec 2011 — Directory traversal vulnerability in cgi-bin/koha/mainpage.pl in Koha 3.4 before 3.4.7 and 3.6 before 3.6.1, and LibLime Koha 4.2 and earlier allows remote attackers to read arbitrary files via a .. (dot dot) in the KohaOpacLanguage cookie to cgi-bin/opac/opac-main.pl, related to Output.pm. Vulnerabilidad de salto de directorio en cgi-bin/koha/mainpage.pl en Koha v3.4 antes de v3.4.7 y v3.6 antes de v3.6.1, y LibLime Koha v4.2 y anteriores permite a atacantes remotos leer archivos de su elección a través de... • https://www.exploit-db.com/exploits/18153 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •