CVE-2015-4630

HIGH

Koha < 3.14.16 - CSRF

Title source: rule
STIX 2.1

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.

Exploits (1)

exploitdb WRITEUP
by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos · textwebappsphp
https://www.exploit-db.com/exploits/37389

References (9)

Core 9
Core References
Product, Release Notes, Vendor Advisory x_refsource_confirm
https://koha-community.org/security-release-koha-3-16-12/
Exploit, Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
https://seclists.org/fulldisclosure/2015/Jun/80
Product, Release Notes, Vendor Advisory x_refsource_confirm
https://koha-community.org/security-release-koha-3-18-8/
Product, Release Notes, Vendor Advisory x_refsource_confirm
https://koha-community.org/security-release-koha-3-20-1/
Product, Release Notes, Vendor Advisory x_refsource_confirm
https://koha-community.org/koha-3-14-16-released/
Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/37389/

Scores

CVSS v3 8.0
EPSS 0.0061
EPSS Percentile 69.8%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (1)
koha/koha 3.14.00 - 3.14.16
Published Oct 18, 2018
Tracked Since Feb 18, 2026