CVE-2014-9446

Name of the Vulnerable Software and Affected Versions Koha versions prior to 3.16.6 Koha versions 3.18.x prior to 3.18.2

Description The issue allows remote attackers to inject arbitrary web script or HTML. This can be achieved via the sort by parameter to the (1) opac parameter in "opac-search.pl" or (2) intranet parameter in "catalogue/search.pl".

Recommendations For Koha versions prior to 3.16.6, update to version 3.16.6 or later. For Koha versions 3.18.x prior to 3.18.2, update to version 3.18.2 or later. As a temporary workaround, consider restricting access to the sort by parameter in the affected API endpoints until a patch is available.