CSV Injection Vulnerability in Koha Library Management System
CVE-2024-24337

8HIGH

Key Information:

Vendor: Koha
Status: Koha
Vendor: CVE Published:; 12 February 2024

What is CVE-2024-24337?

The vulnerability allows for CSV Injection in the Koha Library Management System, specifically within the '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints. Attackers can exploit this issue by injecting Dynamic Data Exchange (DDE) commands into CSV exports generated from the 'Budget' and 'Patrons Member' components. This exploitation can lead to unauthorized command execution, posing significant risks to the integrity and security of the exported data.

References

https://nitipoom-jar.github.io/CVE-2024-24337/

https://nitipoom-jaroonchaipipat.github.io/security-resea...

CVSS V3.1

Score:

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2024
Vulnerability Reserved
Jan 25, 2024

JSON