CVE-2018-1000669

KOHA Library System version 16.11.x (up until 16.11.13) and 17.05.x (up until 17.05.05) contains a Cross Site Request Forgery (CSRF) vulnerability in /cgi-bin/koha/members/paycollect.pl Parameters affected: borrowernumber, amount, amountoutstanding, paid that can result in Attackers can mark payments as paid for certain users on behalf of Administrators. This attack appear to be exploitable via The victim must be socially engineered into clicking a link, usually via email. This vulnerability appears to have been fixed in 17.11.
References
Link Resource
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117 Exploit Issue Tracking Patch Vendor Advisory
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117 Exploit Issue Tracking Patch Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*
cpe:2.3:a:koha:koha:*:*:*:*:*:*:*:*

History

21 Nov 2024, 03:40

Type Values Removed Values Added
References () https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117 - Exploit, Issue Tracking, Patch, Vendor Advisory () https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=19117 - Exploit, Issue Tracking, Patch, Vendor Advisory

Information

Published : 2018-09-06 19:29

Updated : 2024-11-21 03:40


NVD link : CVE-2018-1000669

Mitre link : CVE-2018-1000669

CVE.ORG link : CVE-2018-1000669


JSON object : View

Products Affected

koha

  • koha
CWE
CWE-352

Cross-Site Request Forgery (CSRF)