CVE-2014-9446

Multiple cross-site scripting XSS vulnerabilities in the Staff client in Koha before 3.16.6 and 3.18.x before 3.18.2 allow remote attackers to inject arbitrary web script or HTML via the sortby parameter to the 1 opac parameter in opac-search.pl or 2 intranet parameter in catalogue/search.pl...