← volver
CVE-2015-4631

CVE-2015-4631

EPSS 3.7%
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
Productos afectados
n/a · n/a
PoCs públicas encontradas3
cve_referencepacketstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlno verificadocve_referencewww.exploit-db.com/exploits/37389/no verificadoexploitdbwww.exploit-db.com/exploits/37389no verificado
⚠ Recursos públicos, para evaluar la exposición de sistemas que controlas o estás autorizado a probar. Prueba solo con autorización.

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423https://koha-community.org/koha-3-14-16-released/https://koha-community.org/security-release-koha-3-16-12/https://koha-community.org/security-release-koha-3-18-8/https://koha-community.org/security-release-koha-3-20-1/https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.htmlhttps://seclists.org/fulldisclosure/2015/Jun/80https://www.exploit-db.com/exploits/37389/https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/