Vulnerability Details : CVE-2015-4631
Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-search.pl; the (2) value parameter to authorities/authorities-home.pl; the (3) delay parameter to acqui/lateorders.pl; the (4) authtypecode or (5) tagfield to admin/auth_subfields_structure.pl; the (6) tagfield parameter to admin/marc_subfields_structure.pl; the (7) limit parameter to catalogue/search.pl; the (8) bookseller_filter, (9) callnumber_filter, (10) EAN_filter, (11) ISSN_filter, (12) publisher_filter, or (13) title_filter parameter to serials/serials-search.pl; or the (14) author, (15) collectiontitle, (16) copyrightdate, (17) isbn, (18) manageddate_from, (19) manageddate_to, (20) publishercode, (21) suggesteddate_from, or (22) suggesteddate_to parameter to suggestion/suggestion.pl; or the (23) direction, (24) display or (25) addshelf parameter to opac-shelves.pl.
Vulnerability category: Cross site scripting (XSS)
Products affected by CVE-2015-4631
- cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
- cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
- cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
- cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2015-4631
0.15%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 50 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2015-4631
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:P/A:N |
6.8
|
2.9
|
NIST | |
5.4
|
MEDIUM | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
2.3
|
2.7
|
NIST |
CWE ids for CVE-2015-4631
-
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.Assigned by: nvd@nist.gov (Primary)
References for CVE-2015-4631
-
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14418
14418 – XSS Flaws in OPAC InterfaceExploit;Issue Tracking;Vendor Advisory
-
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416
14416 – Stored XSS flaw affects OPAC and Staff interfaceExploit;Issue Tracking;Vendor Advisory
-
https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
Koha ILS 3.20.x CSRF / XSS / Traversal / SQL Injection ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://www.exploit-db.com/exploits/37389/
Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery VulnerabilitiesExploit;Third Party Advisory;VDB Entry
-
https://koha-community.org/security-release-koha-3-18-8/
Security Release – Koha 3.18.8 – Official Website of Koha Library SoftwareProduct;Release Notes;Vendor Advisory
-
https://koha-community.org/koha-3-14-16-released/
Koha 3.14.16 released – Official Website of Koha Library SoftwareProduct;Release Notes;Vendor Advisory
-
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
14423 – Multiple XSS and XSRF issues in Staff ClientExploit;Issue Tracking
-
https://koha-community.org/security-release-koha-3-16-12/
Security Release – Koha 3.16.12 – Official Website of Koha Library SoftwareProduct;Release Notes;Vendor Advisory
-
https://koha-community.org/security-release-koha-3-20-1/
Security Release – Koha 3.20.1 – Official Website of Koha Library SoftwareProduct;Release Notes;Vendor Advisory
-
https://seclists.org/fulldisclosure/2015/Jun/80
Full Disclosure: SBA Research Vulnerability Disclosure - Multiple Critical Vulnerabilities in Koha ILSExploit;Mailing List;Third Party Advisory
-
https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
Researchers of SBA Research found several critical security vulnerabilities in the Koha Library software via Combinatorial Testing | SBA ResearchThird Party Advisory
Jump to