Summary
Koha is prone to multiple vulnerabilities.
Solution
Updates are available.
Insight
Bug 11660: tools/pdfViewer.pl could be used to read arbitrary files on the server
Bug 11661: the staff interface help editor could be used to modify or create arbitrary files on the server with the privileges of the Apache user
Bug 11662: member-picupload.pl could be used to write to arbitrary files on the server with the privileges of the Apache user
Bug 11666: the MARC framework import/export function did not require authentication, and could be used to perform unexpected SQL commands
Affected
Koha
< 3.14.3
< 3.12.10
< 3.10.13
< 3.8.23
Detection
Try to read a local file via tools/pdfViewer.pl.
References
Updated on 2015-03-25
Severity
Classification
-
CVE CVE-2014-1922, CVE-2014-1923, CVE-2014-1924, CVE-2014-1925 -
CVSS Base Score: 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:N
Related Vulnerabilities
- 11in1 Cross Site Request Forgery and Local File Include Vulnerabilities
- Apache Solr Directory Traversal Vulnerability Jan-14
- Abtp Portal Project 'ABTPV_BLOQUE_CENT' Parameter Local and Remote File Include Vulnerabilities
- Adiscon LogAnalyzer 'highlight' Parameter Cross Site Scripting Vulnerability
- APC PowerChute Network Shutdown 'security/applet' Cross Site Scripting Vulnerability