Summary
Koha is prone to multiple vulnerabilities.
Solution
Updates are available.
Insight
Bug 11660: tools/pdfViewer.pl could be used to read arbitrary files on the server
Bug 11661: the staff interface help editor could be used to modify or create arbitrary files on the server with the privileges of the Apache user
Bug 11662: member-picupload.pl could be used to write to arbitrary files on the server with the privileges of the Apache user
Bug 11666: the MARC framework import/export function did not require authentication, and could be used to perform unexpected SQL commands
Affected
Koha
< 3.14.3
< 3.12.10
< 3.10.13
< 3.8.23
Detection
Try to read a local file via tools/pdfViewer.pl.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-1922, CVE-2014-1923, CVE-2014-1924, CVE-2014-1925 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- Apache Solr XML External Entity(XXE) Vulnerability-01 Jan-14
- Aardvark Topsites PHP 'index.php' Multiple Cross Site Scripting Vulnerabilities
- AeroMail Cross Site Request Forgery, HTML Injection and Cross Site Scripting Vulnerabilities
- Apache Tomcat HTTP BIO Connector Information Disclosure Vulnerability
- Apache mod_proxy_ajp Information Disclosure Vulnerability