CVE-2015-4630

Опубликовано: 18 окт. 2018

Источник: nvd

CVSS3: 8

CVSS2: 6

EPSS Низкий

Описание

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.14.x before 3.14.16, 3.16.x before 3.16.12, 3.18.x before 3.18.08, and 3.20.x before 3.20.1 allow remote attackers to (1) hijack the authentication of administrators for requests that create a user via a request to members/memberentry.pl or (2) give a user superlibrarian permission via a request to members/member-flags.pl or (3) hijack the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to opac-shelves.pl.

Ссылки

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
Exploit
Issue Tracking
Vendor Advisory
https://koha-community.org/koha-3-14-16-released/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-16-12/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-18-8/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-20-1/
Product
Release Notes
Vendor Advisory
https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
Exploit
Third Party Advisory
VDB Entry
https://seclists.org/fulldisclosure/2015/Jun/80
Exploit
Mailing List
Third Party Advisory
https://www.exploit-db.com/exploits/37389/
Third Party Advisory
VDB Entry
https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
Third Party Advisory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=14423
Exploit
Issue Tracking
Vendor Advisory
https://koha-community.org/koha-3-14-16-released/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-16-12/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-18-8/
Product
Release Notes
Vendor Advisory
https://koha-community.org/security-release-koha-3-20-1/
Product
Release Notes
Vendor Advisory
https://packetstormsecurity.com/files/132458/Koha-ILS-3.20.x-CSRF-XSS-Traversal-SQL-Injection.html
Exploit
Third Party Advisory
VDB Entry
https://seclists.org/fulldisclosure/2015/Jun/80
Exploit
Mailing List
Third Party Advisory
https://www.exploit-db.com/exploits/37389/
Third Party Advisory
VDB Entry
https://www.sba-research.org/2015/06/24/researchers-of-sba-research-found-several-critical-security-vulnerabilities-in-the-koha-library-software-via-combinatorial-testing/
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*

Версия от 3.14.00 (включая) до 3.14.16 (исключая)

cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*

Версия от 3.16.00 (включая) до 3.16.12 (исключая)

cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*

Версия от 3.18.0 (включая) до 3.18.8 (исключая)

cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*

Версия от 3.20.00 (включая) до 3.20.1 (исключая)

EPSS

Процентиль: 70%

0.00642

Низкий

8 High

CVSS3

6 Medium

CVSS2

Дефекты

CWE-352

Связанные уязвимости

CVE-2015-4630

CVSS3: 8

debian

больше 7 лет назад

Multiple cross-site request forgery (CSRF) vulnerabilities in Koha 3.1 ...

GHSA-85vr-q6xj-xf78

CVSS3: 8

github

больше 3 лет назад

EPSS

Процентиль: 70%

0.00642

Низкий

8 High

CVSS3

6 Medium

CVSS2

Дефекты

CWE-352