24 matches found
CVE-2024-24337
CVE-2024-24337 affects Koha Library Management System
CVE-2015-4632
CVE-2015-4632 : Koha suffers a directory traversal vulnerability in multiple releases (Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, 3.20.x before 3.20.1). An attacker can read arbitrary files by injecting a dot-dot encoded slash (..%2f) via the template_path parameter...
CVE-2015-4633
CVE-2015-4633 affects Koha ILS across multiple releases (notably 3.14.x up to 3.14.16, 3.16.x up to 3.16.12, 3.18.x up to 3.18.08, and 3.20.x up to 3.20.1). Vulnerability details show two SQL injection vectors: (1) unauthenticated injection via the number parameter to opac-tags_subject.pl in the ...
CVE-2011-4715
CVE-2011-4715 affects Koha and LibLime Koha prior to updates: a directory traversal/ local file inclusion flaw in cgi-bin/koha/mainpage.pl related to the KohaOpacLanguage cookie can allow reading arbitrary files via the cookie to cgi-bin/opac/opac-main.pl (Output.pm). Affected versions: Koha 3.4 ...
CVE-2014-1924
The CVE-2014-1924 entry affects Koha’s MARC framework import/export function (admin/import_export_framework.pl). The vulnerability occurs in Koha versions before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3, where the import/export interface does not require auth...
CVE-2014-1922
Koha’s pdfViewer.pl contains an absolute path traversal vulnerability affecting Koha releases up to 3.8.22, 3.10.x up to 3.10.12, 3.12.x up to 3.12.9, and 3.14.x up to 3.14.2. The flaw allows remote attackers to read arbitrary files via unspecified vectors. Attack is network-based with no authent...
CVE-2014-1925
Koha CVE-2014-1925 affects the MARC framework import/export function (admin/import_export_framework.pl). Affected versions include Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3. Description: an SQL injection vulnerability allows remote authenticated us...
CVE-2015-4630
Koha CVE-2015-4630 affects multiple 3.14–3.20 series: CSRF/XSS vulnerabilities allow (1) admin session hijack via memberentry.pl to create users, (2) privilege escalation to superlibrarian via member-flags.pl, and (3) arbitrary user hijack via addshelf XSS on opac-shelves.pl. Publicly known fixed...
CVE-2015-4631
CVE-2015-4631 concerns multiple cross-site scripting (XSS) vulnerabilities in Koha. Affected are Koha 3.14.x prior to 3.14.16, 3.16.x prior to 3.16.12, 3.18.x prior to 3.18.08, and 3.20.x prior to 3.20.1. The flaws allow remote attackers to inject arbitrary scripts via numerous parameters across ...
CVE-2014-1923
CVE-2014-1923 affects Koha: 3.8.x prior to 3.8.23, 3.10.x prior to 3.10.13, 3.12.x prior to 3.12.10, and 3.14.x prior to 3.14.3. Two vulnerable components are the staff interface help editor (edithelp.pl) and member-picupload.pl. A remote attacker can write to arbitrary files via unspecified vect...
CVE-2018-1000670
KOHA Library System versions 16.11.x (up to 16.11.13) and 17.05.x (up to 17.05.05) are affected by a Cross Site Scripting (XSS) vulnerability in multiple fields across several pages (e.g., /cgi-bin/koha/acqui/supplier.pl?op=enter, /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number], /cgi-bi...
CVE-2014-9446
Koha vulnerability CVE-2014-9446 affects the Staff client in Koha versions prior to 3.16.6 and 3.18.x prior to 3.18.2. The issue is multiple cross-site scripting (XSS) flaws that allow remote attackers to inject arbitrary script/HTML via the sort_by parameter to (1) opac-search.pl (opac) or (2) c...
CVE-2023-5025
KOHA up to 23.05.03 contains a cross-site scripting (XSS) vulnerability in the MARC component, specifically in the /cgi-bin/koha/catalogue/search.pl file. The vulnerability can be triggered remotely and the exploit has been disclosed publicly. The affected file path and component are explicitly i...
CVE-2024-28739
Koha ILS 23.05 and earlier is described in multiple sources as vulnerable to remote code execution via a crafted script to the format parameter. The vulnerability affects Koha ILS versions up to and including 23.05. Concrete exploit details beyond the high-level description (e.g., exact payloads ...
CVE-2015-4639
CVE-2015-4639 describes a cross-site scripting (XSS) vulnerability in Koha’s opac-addbybiblionumber.pl. The issue allows remote attackers to inject arbitrary web script or HTML via a crafted list name in Koha versions: 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1. Exploi...
CVE-2024-28740
CVE-2024-28740 affects Koha ILS versions 23.05 and earlier. The vulnerability is a Cross Site Scripting issue that allows a remote attacker to execute arbitrary code via the additonal-contents.pl component. Evidence across multiple sources confirms the affected product/version and the exploitatio...
CVE-2018-1000669
CVE-2018-1000669 | KOHA Library System contains a CSRF vulnerability in /cgi-bin/koha/members/paycollect.pl affecting borrowernumber, amount, amountoutstanding, and paid. An attacker can result in marking payments as paid for certain users on behalf of Administrators, via a socially engineered li...
CVE-2026-26378
Affects Koha 25.11 and earlier. Cross-Site Scripting via the file upload function in Invoice features allows a remote attacker to execute arbitrary code. Root cause details are not provided beyond this description. No remediation or patch version is stated in the available documents.
CVE-2026-26379
CVE-2026-26379 affects Koha v0: Koha v.25.11 and earlier, where the Z39.50 configuration module is the entry point. The issue enables a remote attacker to execute arbitrary code. The available sources do not specify the underlying root cause details or exact vulnerable file/function, nor do they ...
CVE-2026-26377
CVE-2026-26377: Cross Site Scripting in Koha 25.11 and earlier via the News function. A remote attacker could execute arbitrary code in affected Koha versions. Affected software/component: Koha News feature (Koha 25.11 and earlier). Root cause: cross-site scripting vulnerability in the News funct...
CVE-2026-31844
CVE-2026-31844 describes an authenticated SQL Injection (CWE-89) vulnerability in the Koha web application, exploitable by a low-privileged staff user via the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl. The issue allows arbitrary SQL queries and access to sensitive database inf...
CVE-2026-50765
CVE-2026-50765 is a Cross-Site Scripting (XSS) vulnerability in Koha Library Management System (through version 25.11) affecting the patron restriction type administration page. An authenticated administrator can inject arbitrary scripts via the restriction type label (display_text field). The is...
CVE-2026-50767
CVE-2026-50767 describes a stored XSS vulnerability in Koha Library Management System (up to version 25.11) where an authenticated administrator can inject arbitrary scripts through the item type check-in message field (checkinmsg). The issue requires administrator privileges and is triggered by ...
CVE-2026-50766
CVE-2026-50766 is a stored XSS vulnerability in the Koha Library Management System (OPAC item detail page) up to version 25.11. An authenticated user with the ability to edit items can inject arbitrary web scripts via the item public notes field (items.itemnotes). The connected documents confirm ...