Lucene search
K

24 matches found

CVE
CVE
added 2024/02/12 12:0 a.m.98 views

CVE-2024-24337

CVE-2024-24337 affects Koha Library Management System

8.8CVSS7.2AI score0.00811EPSS
CVE
CVE
added 2018/10/18 8:0 p.m.81 views

CVE-2015-4632

CVE-2015-4632 : Koha suffers a directory traversal vulnerability in multiple releases (Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, 3.20.x before 3.20.1). An attacker can read arbitrary files by injecting a dot-dot encoded slash (..%2f) via the template_path parameter...

7.5CVSS7.6AI score0.51829EPSS
Web
CVE
CVE
added 2018/10/18 8:0 p.m.80 views

CVE-2015-4633

CVE-2015-4633 affects Koha ILS across multiple releases (notably 3.14.x up to 3.14.16, 3.16.x up to 3.16.12, 3.18.x up to 3.18.08, and 3.20.x up to 3.20.1). Vulnerability details show two SQL injection vectors: (1) unauthenticated injection via the number parameter to opac-tags_subject.pl in the ...

9.8CVSS9.8AI score0.06022EPSS
Web
CVE
CVE
added 2011/12/08 7:0 p.m.59 views

CVE-2011-4715

CVE-2011-4715 affects Koha and LibLime Koha prior to updates: a directory traversal/ local file inclusion flaw in cgi-bin/koha/mainpage.pl related to the KohaOpacLanguage cookie can allow reading arbitrary files via the cookie to cgi-bin/opac/opac-main.pl (Output.pm). Affected versions: Koha 3.4 ...

5CVSS6.9AI score0.0938EPSS
Web
CVE
CVE
added 2020/01/24 4:42 p.m.59 views

CVE-2014-1924

The CVE-2014-1924 entry affects Koha’s MARC framework import/export function (admin/import_export_framework.pl). The vulnerability occurs in Koha versions before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3, where the import/export interface does not require auth...

9.8CVSS9.7AI score0.02038EPSS
CVE
CVE
added 2020/01/24 4:42 p.m.58 views

CVE-2014-1922

Koha’s pdfViewer.pl contains an absolute path traversal vulnerability affecting Koha releases up to 3.8.22, 3.10.x up to 3.10.12, 3.12.x up to 3.12.9, and 3.14.x up to 3.14.2. The flaw allows remote attackers to read arbitrary files via unspecified vectors. Attack is network-based with no authent...

7.5CVSS7.8AI score0.02312EPSS
CVE
CVE
added 2020/01/24 4:42 p.m.57 views

CVE-2014-1925

Koha CVE-2014-1925 affects the MARC framework import/export function (admin/import_export_framework.pl). Affected versions include Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3. Description: an SQL injection vulnerability allows remote authenticated us...

9.8CVSS9.4AI score0.0199EPSS
CVE
CVE
added 2018/10/18 8:0 p.m.53 views

CVE-2015-4630

Koha CVE-2015-4630 affects multiple 3.14–3.20 series: CSRF/XSS vulnerabilities allow (1) admin session hijack via memberentry.pl to create users, (2) privilege escalation to superlibrarian via member-flags.pl, and (3) arbitrary user hijack via addshelf XSS on opac-shelves.pl. Publicly known fixed...

8CVSS8.5AI score0.02974EPSS
Web
CVE
CVE
added 2018/10/18 8:0 p.m.51 views

CVE-2015-4631

CVE-2015-4631 concerns multiple cross-site scripting (XSS) vulnerabilities in Koha. Affected are Koha 3.14.x prior to 3.14.16, 3.16.x prior to 3.16.12, 3.18.x prior to 3.18.08, and 3.20.x prior to 3.20.1. The flaws allow remote attackers to inject arbitrary scripts via numerous parameters across ...

5.4CVSS6.8AI score0.03711EPSS
Web
CVE
CVE
added 2020/01/24 4:42 p.m.50 views

CVE-2014-1923

CVE-2014-1923 affects Koha: 3.8.x prior to 3.8.23, 3.10.x prior to 3.10.13, 3.12.x prior to 3.12.10, and 3.14.x prior to 3.14.3. Two vulnerable components are the staff interface help editor (edithelp.pl) and member-picupload.pl. A remote attacker can write to arbitrary files via unspecified vect...

7.5CVSS8.1AI score0.03464EPSS
CVE
CVE
added 2018/09/06 7:0 p.m.50 views

CVE-2018-1000670

KOHA Library System versions 16.11.x (up to 16.11.13) and 17.05.x (up to 17.05.05) are affected by a Cross Site Scripting (XSS) vulnerability in multiple fields across several pages (e.g., /cgi-bin/koha/acqui/supplier.pl?op=enter, /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number], /cgi-bi...

6.1CVSS6.3AI score0.00648EPSS
CVE
CVE
added 2015/01/02 8:0 p.m.49 views

CVE-2014-9446

Koha vulnerability CVE-2014-9446 affects the Staff client in Koha versions prior to 3.16.6 and 3.18.x prior to 3.18.2. The issue is multiple cross-site scripting (XSS) flaws that allow remote attackers to inject arbitrary script/HTML via the sort_by parameter to (1) opac-search.pl (opac) or (2) c...

4.3CVSS5.9AI score0.0122EPSS
CVE
CVE
added 2023/09/17 7:0 a.m.49 views

CVE-2023-5025

KOHA up to 23.05.03 contains a cross-site scripting (XSS) vulnerability in the MARC component, specifically in the /cgi-bin/koha/catalogue/search.pl file. The vulnerability can be triggered remotely and the exploit has been disclosed publicly. The affected file path and component are explicitly i...

5.4CVSS4.5AI score0.00539EPSS
CVE
CVE
added 2024/08/06 12:0 a.m.49 views

CVE-2024-28739

Koha ILS 23.05 and earlier is described in multiple sources as vulnerable to remote code execution via a crafted script to the format parameter. The vulnerability affects Koha ILS versions up to and including 23.05. Concrete exploit details beyond the high-level description (e.g., exact payloads ...

9.6CVSS8AI score0.17738EPSS
CVE
CVE
added 2017/07/21 2:0 p.m.46 views

CVE-2015-4639

CVE-2015-4639 describes a cross-site scripting (XSS) vulnerability in Koha’s opac-addbybiblionumber.pl. The issue allows remote attackers to inject arbitrary web script or HTML via a crafted list name in Koha versions: 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1. Exploi...

8.8CVSS6.8AI score0.0062EPSS
CVE
CVE
added 2024/08/06 12:0 a.m.44 views

CVE-2024-28740

CVE-2024-28740 affects Koha ILS versions 23.05 and earlier. The vulnerability is a Cross Site Scripting issue that allows a remote attacker to execute arbitrary code via the additonal-contents.pl component. Evidence across multiple sources confirms the affected product/version and the exploitatio...

9.6CVSS7.5AI score0.00673EPSS
CVE
CVE
added 2018/09/06 7:0 p.m.38 views

CVE-2018-1000669

CVE-2018-1000669 | KOHA Library System contains a CSRF vulnerability in /cgi-bin/koha/members/paycollect.pl affecting borrowernumber, amount, amountoutstanding, and paid. An attacker can result in marking payments as paid for certain users on behalf of Administrators, via a socially engineered li...

8.8CVSS8.8AI score0.00481EPSS
CVE
CVE
added 2026/06/03 12:0 a.m.20 views

CVE-2026-26378

Affects Koha 25.11 and earlier. Cross-Site Scripting via the file upload function in Invoice features allows a remote attacker to execute arbitrary code. Root cause details are not provided beyond this description. No remediation or patch version is stated in the available documents.

5.4CVSS6.2AI score0.003EPSS
CVE
CVE
added 2026/06/03 12:0 a.m.19 views

CVE-2026-26379

CVE-2026-26379 affects Koha v0: Koha v.25.11 and earlier, where the Z39.50 configuration module is the entry point. The issue enables a remote attacker to execute arbitrary code. The available sources do not specify the underlying root cause details or exact vulnerable file/function, nor do they ...

6.5CVSS5.8AI score0.00243EPSS
CVE
CVE
added 2026/03/05 12:0 a.m.14 views

CVE-2026-26377

CVE-2026-26377: Cross Site Scripting in Koha 25.11 and earlier via the News function. A remote attacker could execute arbitrary code in affected Koha versions. Affected software/component: Koha News feature (Koha 25.11 and earlier). Root cause: cross-site scripting vulnerability in the News funct...

5.4CVSS6.3AI score0.00372EPSS
CVE
CVE
added 2026/03/11 6:34 a.m.11 views

CVE-2026-31844

CVE-2026-31844 describes an authenticated SQL Injection (CWE-89) vulnerability in the Koha web application, exploitable by a low-privileged staff user via the displayby parameter of /cgi-bin/koha/suggestion/suggestion.pl. The issue allows arbitrary SQL queries and access to sensitive database inf...

9CVSS6AI score0.00442EPSS
CVE
CVE
added 2026/06/26 12:0 a.m.11 views

CVE-2026-50765

CVE-2026-50765 is a Cross-Site Scripting (XSS) vulnerability in Koha Library Management System (through version 25.11) affecting the patron restriction type administration page. An authenticated administrator can inject arbitrary scripts via the restriction type label (display_text field). The is...

6.1CVSS5.8AI score0.0022EPSS
CVE
CVE
added 2026/06/26 12:0 a.m.10 views

CVE-2026-50767

CVE-2026-50767 describes a stored XSS vulnerability in Koha Library Management System (up to version 25.11) where an authenticated administrator can inject arbitrary scripts through the item type check-in message field (checkinmsg). The issue requires administrator privileges and is triggered by ...

5.4CVSS5.8AI score0.00196EPSS
CVE
CVE
added 2026/06/26 12:0 a.m.6 views

CVE-2026-50766

CVE-2026-50766 is a stored XSS vulnerability in the Koha Library Management System (OPAC item detail page) up to version 25.11. An authenticated user with the ability to edit items can inject arbitrary web scripts via the item public notes field (items.itemnotes). The connected documents confirm ...

5.4CVSS5.8AI score0.00196EPSS