CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 1CVE-2024-24336
https://notcve.org/view.php?id=CVE-2024-24336
19 Mar 2024 — A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components. • https://github.com/nitipoom-jar/CVE-2024-24336 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 1CVE-2024-24337
https://notcve.org/view.php?id=CVE-2024-24337
12 Feb 2024 — CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components. Vulnerabilidad de inyección CSV en los endpoints '/members/moremember.pl' y '/admin/aqbudgets.pl' en Koha Library Management System versión 23.05.05 y anteriores permite a los atacantes inyectar comandos DDE en exportaciones csv a través de los co... • https://github.com/nitipoom-jar/CVE-2024-24337 • CWE-1236: Improper Neutralization of Formula Elements in a CSV File •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44961
https://notcve.org/view.php?id=CVE-2023-44961
11 Oct 2023 — SQL Injection vulnerability in Koha Library Software 23.0.5.04 and before allows a remote attacker to obtain sensitive information via the intranet/cgi bin/cataloging/ysearch.pl. component. Vulnerabilidad de inyección SQL en Koha Library Software 23.0.5.04 y anteriores permite a un atacante remoto obtener información confidencial a través del componente intranet/cgi bin/cataloging/ysearch.pl. • https://github.com/ggb0n/CVE-2023-44961 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 1CVE-2023-44962
https://notcve.org/view.php?id=CVE-2023-44962
11 Oct 2023 — File Upload vulnerability in Koha Library Software 23.05.04 and before allows a remote attacker to read arbitrary files via the upload-cover-image.pl component. Vulnerabilidad de carga de archivos en Koha Library Software 23.05.04 y anteriores permite a un atacante remoto leer archivos arbitrarios a través del componente upload-cover-image.pl. • https://github.com/ggb0n/CVE-2023-44962 • CWE-434: Unrestricted Upload of File with Dangerous Type •