Koha Library Software OPAC Multiple Cross Site Scripting Vulnerabilities Network Vulnerability

Summary

The host is running Koha Library Software and is prone to multiple cross-site scripting vulnerabilities.

Impact

Successful exploitation will allow remote attackers to insert arbitrary HTML and script code, which will be executed in a user's browser session in the context of an affected site. Impact Level: Application

Solution

Upgrade to Koha Library Software version 3.4.2 or later, For updates refer to http://koha-community.org/

Insight

The flaws are due to improper validation of user-supplied input in 'bib_list' parameter to opac-downloadcart.pl, 'biblionumber' parameter to opac-serial-issues.pl, opac-addbybiblionumber.pl, opac-review.pl and 'shelfid' parameter to opac-sendshelf.pl and opac-downloadshelf.pl.

Affected

Koha Library Software versions 3.4.1 and prior.

References

http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=6518
http://en.securitylab.ru/lab/PT-2011-05
http://koha-community.org/koha-3-4-2/
http://osvdb.org/vendor/118855-koha-library-software-community/1
http://packetstormsecurity.org/files/view/103440/PT-2011-05.txt
http://secunia.com/advisories/45435/

Updated on 2015-03-25

Severity

Classification

CVSS	Base Score: 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N

Related Vulnerabilities

Apache Open For Business HTML injection vulnerability
appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability
11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
Apache Continuum Cross Site Scripting Vulnerability
Adobe ColdFusion Multiple Vulnerabilities-03 May-2014

Take action and discover your vulnerabilities