KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number] , /cgi-bin/koha/serials/subscription-add.pl that can result in Privilege escalation by taking control of higher privileged users browser sessions. This attack appear to be exploitable via Victims must be socially engineered to visit a vulnerable webpage containing malicious payload. This vulnerability appears to have been fixed in 17.11.
CPE | Name | Operator | Version |
---|---|---|---|
koha | eq | 3.12.00-alpha | |
koha | eq | 16.11.03 | |
koha | eq | 3.02.00-rc | |
koha | eq | 3.14.00-alpha1 | |
koha | eq | R_1-9-3 | |
koha | eq | R_1-9-0 | |
koha | eq | R_2-0-0RC1 | |
koha | eq | 16.11.12 | |
koha | eq | 3.14.00-alpha2 | |
koha | eq | 16.11.08 |