Koha
Moderate fix1 remedy
cpe:2.3:a:koha:koha:*:*:*:*:*:*:*
Moderate fix1 remedy
- <= 21.11.x
Koha SQL Injection Vulnerability in Serials Component
Vulnerability
Patched
A SQL injection vulnerability has been identified in Koha versions prior to 24.11.02, specifically within the Serials component. The issue arises in the 'lateissues-export.pl' script, where the 'supplierid' and 'serialid' parameters can be manipulated to inject arbitrary SQL commands. This vulnerability affects unauthenticated users in Koha versions 21.11.x and earlier, and authenticated users in versions 21.11.x and later.
Impact
Exploitation of this vulnerability allows for SQL injection, where an attacker can execute arbitrary SQL commands. This could lead to unauthorized data access, data manipulation, or in some cases, executing commands on the server.
Reproduction
To reproduce this vulnerability, access the 'lateissues-export.pl' script within the Serials component of Koha. Include the 'supplierid' or 'serialid' parameter in the request. The absence of input sanitization allows for the injection of SQL commands, which will be executed by the database.
Remediation
Users can upgrade to Koha version 24.11.02 or later, where this vulnerability has been fixed.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
5.0exploitability
9.7remediation
7.7relevance
0.0threat
7.0urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.