CVE-2024-24336

HIGH

Koha Library Management System <23.05.05 - XSS

Title source: llm

Description

A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.

References (2)

Core 2

Core References

Various Sources

https://nitipoom-jar.github.io/CVE-2024-24336/

Various Sources

https://nitipoom-jaroonchaipipat.github.io/security-research-portal/2024-24336

Scores

CVSS v3 8.1

EPSS 0.0036

EPSS Percentile 28.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-352

Status published

Published Mar 19, 2024

Tracked Since Feb 18, 2026