Cross-Site Scripting Vulnerability in Koha Library Management System
CVE-2024-24336

8.1HIGH

Key Information:

Vendor: Koha
Status: Koha Library Management System
Vendor: CVE Published:; 19 March 2024

What is CVE-2024-24336?

A critical Cross-Site Scripting vulnerability exists in the Koha Library Management System, specifically in the '/members/moremember.pl' and '/members/members-home.pl' endpoints. This flaw permits malicious staff users to execute Cross-Site Request Forgery (CSRF) attacks, enabling unauthorized modifications to users' usernames and passwords. The vulnerability affects Koha Library Management System versions prior to 23.05.05, putting user accounts at risk of compromise through the 'Circulation note' and 'Patrons Restriction' components.

References

https://nitipoom-jar.github.io/CVE-2024-24336/

https://nitipoom-jaroonchaipipat.github.io/security-resea...

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 19, 2024
Vulnerability Reserved
Jan 25, 2024

JSON