Cross-Site Scripting Vulnerability in Koha Library Management System
CVE-2024-24336

Currently unrated

Key Information:

Vendor: Koha
Status: Koha Library Management System
Vendor: CVE Published:; 19 March 2024

Summary

A critical Cross-Site Scripting vulnerability exists in the Koha Library Management System, specifically in the '/members/moremember.pl' and '/members/members-home.pl' endpoints. This flaw permits malicious staff users to execute Cross-Site Request Forgery (CSRF) attacks, enabling unauthorized modifications to users' usernames and passwords. The vulnerability affects Koha Library Management System versions prior to 23.05.05, putting user accounts at risk of compromise through the 'Circulation note' and 'Patrons Restriction' components.

References

https://nitipoom-jar.github.io/CVE-2024-24336/

Timeline

Vulnerability published
Mar 19, 2024
Vulnerability Reserved
Jan 25, 2024