CVE-2015-4630

HIGH

Koha 3.14.00-3.14.15 - Cross-Site Request Forgery via Member Entry or Flag Endpoints

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2015-4630. PoCs published by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos.

AI-analyzed exploit summary This is a detailed writeup describing multiple XSS and XSRF vulnerabilities in Koha Open Source ILS. It includes affected versions, exploitation vectors, and proof-of-concept attack scenarios but does not contain executable exploit code.

Description

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.

Exploits (1)

exploitdb WRITEUP

by Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos · textwebappsphp

https://www.exploit-db.com/exploits/37389

View Code ZIP pw:eip

This is a detailed writeup describing multiple XSS and XSRF vulnerabilities in Koha Open Source ILS. It includes affected versions, exploitation vectors, and proof-of-concept attack scenarios but does not contain executable exploit code.

Classification

Writeup 90%

Attack Type

Xss

Complexity

Moderate

Reliability

Reliable

Target: Koha Open Source ILS (versions 3.20.x <= 3.20.1, 3.18.x <= 3.18.8, 3.16.x <= 3.16.12)

Auth required

Prerequisites: User interaction (clicking a malicious link) · User must be logged in to the OPAC interface · User must have permissions to create public lists

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →