CVE-2015-4639

HIGH

Koha 3.14.x < 3.14.16, 3.16.x < 3.16.12, 3.20.x < 3.20.1 - Cross-Site Scripting via Crafted List Name

Title source: llm
STIX 2.1

Description

Cross-site scripting (XSS) vulnerability in opac-addbybiblionumber.pl in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, and 3.20.x before 3.20.1 allows remote attackers to inject arbitrary web script or HTML via a crafted list name.

References (4)

Core 4
Core References
Issue Tracking, Third Party Advisory x_refsource_confirm
http://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14416#c4
Various Sources x_refsource_confirm
https://koha-community.org/security-release-koha-3-16-12/
Various Sources x_refsource_confirm
https://koha-community.org/koha-3-14-16-released/
Various Sources x_refsource_confirm
https://koha-community.org/security-release-koha-3-20-1/

Scores

CVSS v3 8.8
EPSS 0.0062
EPSS Percentile 45.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE
CWE-352
Status published
Products (29)
koha/koha 3.14.00 (4 CPE variants)
koha/koha 3.14.01
koha/koha 3.14.02
koha/koha 3.14.03
koha/koha 3.14.04
koha/koha 3.14.05
koha/koha 3.14.06
koha/koha 3.14.07
koha/koha 3.14.08
koha/koha 3.14.09
... and 19 more
Published Jul 21, 2017
Tracked Since Feb 18, 2026