CVE-2015-4630

Sažetak

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.

Reference

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
https://koha-community.org/koha-3-14-16-released/
https://koha-community.org/security-release-koha-3-16-12/
https://koha-community.org/security-release-koha-3-18-8/
https://koha-community.org/security-release-koha-3-20-1/
https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
https://seclists.org/fulldisclosure/2015/Jun/80
https://www.exploit-db.com/exploits/37389/
https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/

CVSS

Base:	6.0
Impact:	6.4
Exploitability:	6.8

Pristup

Vektor	Složenost	Autentikacija
NETWORK	MEDIUM	SINGLE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:M/Au:S/C:P/I:P/A:P

Zadnje važnije ažuriranje

04-12-2018 - 19:59

Objavljeno

18-10-2018 - 21:29