Koha ≫ Koha

The MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 does not require authentication, which allows remote attackers to conduct SQL i...

SQL injection vulnerability in the MARC framework import/export function (admin/import_export_framework.pl) in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote authenticated users to execute arb...

Multiple directory traversal vulnerabilities in the (1) staff interface help editor (edithelp.pl) or (2) member-picupload.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allow remote attackers to write...

Absolute path traversal vulnerability in tools/pdfViewer.pl in Koha before 3.8.23, 3.10.x before 3.10.13, 3.12.x before 3.12.10, and 3.14.x before 3.14.3 allows remote attackers to read arbitrary files via unspecified vectors.

Multiple SQL injection vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow (1) remote attackers to execute arbitrary SQL commands via the number parameter to opac-tags_subject.pl...

Multiple directory traversal vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the template_path...

Multiple cross-site scripting (XSS) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to inject arbitrary web script or HTML via the (1) tag parameter to opac-...

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests th...

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Scripting (XSS) vulnerability in Multiple fields on multiple pages including /cgi-bin/koha/acqui/supplier.pl?op=enter , /cgi-bin/koha/circ/c...

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, ...