CVE-2024-24336

A multiple Cross-site scripting (XSS) vulnerability in the '/members/moremember.pl', and ‘/members/members-home.pl’ endpoints within Koha Library Management System version 23.05.05 and earlier allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the 'Circulation note' and ‘Patrons Restriction’ components.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://nitipoom-jar.github.io/CVE-2024-24336/
https://nitipoom-jar.github.io/CVE-2024-24336/

Configurations

No configuration.

History

21 Nov 2024, 08:59

Type	Values Removed	Values Added
References	~~() https://nitipoom-jar.github.io/CVE-2024-24336/ -~~	() https://nitipoom-jar.github.io/CVE-2024-24336/ -
Summary		(es) Una vulnerabilidad de Cross-Site Scripting (XSS) múltiple en los endpoints '/members/moremember.pl' y '/members/members-home.pl' dentro de Koha Library Management System versión 23.05.05 y anteriores permite que usuarios malintencionados del personal lleven realizar ataques CSRF, incluidos cambios no autorizados en los nombres de usuario y contraseñas de los usuarios que visitan la página afectada, a través de los componentes 'Nota de circulación' y 'Restricción de usuarios'.

06 Aug 2024, 18:35

Type	Values Removed	Values Added
CWE		CWE-352
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.1

20 Mar 2024, 13:00

Type	Values Removed	Values Added
New CVE

Information

Published : 2024-03-19 21:15

Updated : 2024-11-21 08:59

NVD link : CVE-2024-24336

Mitre link : CVE-2024-24336

CVE.ORG link : CVE-2024-24336

JSON object : View

Products Affected

No product.

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

8.1 /10