CVE-2015-4639
HIGHKoha 3.14.x < 3.14.16, 3.16.x < 3.16.12, 3.20.x < 3.20.1 - Cross-Site Scripting via Crafted List Name
Title source: llmDescription
Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.
References (4)
Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4
Various Sources x_refsource_confirm
https://koha-community.org/security-release-koha-3-16-12/
Various Sources x_refsource_confirm
https://koha-community.org/koha-3-14-16-released/
Various Sources x_refsource_confirm
https://koha-community.org/security-release-koha-3-20-1/
Scores
CVSS v3
8.8
EPSS
0.0062
EPSS Percentile
45.4%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Details
CWE
CWE-352
Status
published
Products (29)
koha/koha
3.14.00 (4 CPE variants)
koha/koha
3.14.01
koha/koha
3.14.02
koha/koha
3.14.03
koha/koha
3.14.04
koha/koha
3.14.05
koha/koha
3.14.06
koha/koha
3.14.07
koha/koha
3.14.08
koha/koha
3.14.09
... and 19 more
Published
Jul 21, 2017
Tracked Since
Feb 18, 2026