Cross Site Scripting Vulnerability in KOHA Library System by KOHA Community
CVE-2018-1000670

6.1MEDIUM

Key Information:

Vendor: Koha
Status: Koha
Vendor: CVE Published:; 6 September 2018

Summary

The KOHA Library System, specifically versions 16.11.x up to 16.11.13 and 17.05.x up to 17.05.05, is affected by a Cross Site Scripting (XSS) vulnerability that exists in multiple fields across various pages. Notably, it can be exploited through URLs like /cgi-bin/koha/acqui/supplier.pl?op=enter and /cgi-bin/koha/circ/circulation.pl?borrowernumber=[number]. An attacker could potentially take control of a higher-privileged user's browser session through social engineering tactics, tricking victims into visiting a compromised page that contains malicious payloads. This security issue has been addressed in version 17.11.

References

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Sep 6, 2018
Vulnerability Reserved
Aug 24, 2018