Vulnerabilities > Koha

DATE CVE VULNERABILITY TITLE RISK
2024-08-06 CVE-2024-28739 Command Injection vulnerability in Koha
An issue in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via a crafted script to the format parameter.
network
low complexity
koha CWE-77
7.2
2024-08-06 CVE-2024-28740 Cross-site Scripting vulnerability in Koha
Cross Site Scripting vulnerability in Koha ILS 23.05 and before allows a remote attacker to execute arbitrary code via the additonal-contents.pl component.
network
low complexity
koha CWE-79
critical
9.6
2024-02-12 CVE-2024-24337 Improper Neutralization of Formula Elements in a CSV File vulnerability in Koha
CSV Injection vulnerability in '/members/moremember.pl' and '/admin/aqbudgets.pl' endpoints in Koha Library Management System version 23.05.05 and earlier allows attackers to to inject DDE commands into csv exports via the 'Budget' and 'Patrons Member' components.
network
low complexity
koha CWE-1236
8.0
2023-09-17 CVE-2023-5025 Unspecified vulnerability in Koha
A vulnerability was found in KOHA up to 23.05.03.
network
low complexity
koha
5.4
2020-01-24 CVE-2014-1925 SQL Injection vulnerability in Koha
SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.
network
low complexity
koha CWE-89
critical
9.8
2020-01-24 CVE-2014-1924 SQL Injection vulnerability in Koha
The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL injection attacks via unspecified vectors.
network
low complexity
koha CWE-89
critical
9.8
2020-01-24 CVE-2014-1923 Path Traversal vulnerability in Koha
Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write to arbitrary files via unspecified vectors.
network
low complexity
koha CWE-22
7.5
2020-01-24 CVE-2014-1922 Path Traversal vulnerability in Koha
Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.
network
low complexity
koha CWE-22
7.5
2018-10-18 CVE-2015-4633 SQL Injection vulnerability in Koha
Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl in the OPAC interface or (2) remote authenticated users to execute arbitrary SQL commands via the Filter or (3) Criteria parameter to reports/borrowers_out.pl in the Staff interface.
network
low complexity
koha CWE-89
critical
9.8
2018-10-18 CVE-2015-4632 Path Traversal vulnerability in Koha
Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path parameter to (1) svc/virtualshelves/search or (2) svc/members/search.
network
low complexity
koha CWE-22
7.5