Koha SQL Injection Vulnerability in Staff Interface Suggestions

A SQL injection vulnerability has been identified in the Koha staff interface, specifically within the 'displayby' parameter of the suggestions management script. This vulnerability allows low-privileged staff users to execute arbitrary SQL queries and access sensitive information from the database. The issue arises from inadequate validation and sanitization of user input, enabling the injection of malicious SQL that could be exploited to extract confidential data, such as password hashes, from the database.

Impact

Exploitation of this vulnerability allows authenticated users to perform SQL injection attacks, potentially leading to unauthorized access to sensitive database information, including password hashes.

Reproduction

To reproduce this vulnerability, log into the Koha staff interface and navigate to the suggestions management script. Inject SQL payloads into the 'displayby' parameter, such as commands to extract database version information or password hashes from user accounts. The injected SQL will generate errors that can be exploited to retrieve the leaked information from the error logs.

Remediation

The vulnerability has been fixed in Koha versions 26.05.00, 25.11.01, 25.05.07, and 24.11.12.