CVE-2015-4631 Information

Feb 14, 2021 cve

Description

Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16 3.16.x before 3.16.12 3.18.x before 3.18.08 and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter (9) callnumber_filter (10) EAN_filter (11) ISSN_filter (12) publisher_filter or (13) title_filter parameter to serials/serials-search.pl; or the (14) author (15) collectiontitle (16) copyrightdate (17) isbn (18) manageddate_from (19) manageddate_to (20) publishercode (21) suggesteddate_from or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction (24) display or (25) addshelf parameter to opac-shelves.pl.

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Reference

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416 https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418 https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423 https://koha-community.org/koha-3-14-16-released/ https://koha-community.org/security-release-koha-3-16-12/ https://koha-community.org/security-release-koha-3-18-8/ https://koha-community.org/security-release-koha-3-20-1/ https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html https://seclists.org/fulldisclosure/2015/Jun/80 https://www.exploit-db.com/exploits/37389/ https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

REQUIRED

Confidentiality Impact

CHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

NONE

Base Severity

5.4

Share on: