CVE-2015-4630

Name of the Vulnerable Software and Affected Versions Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.18.x through 3.18.07 Koha versions 3.20.x through 3.20.0

Description The issue allows remote attackers to hijack the authentication of administrators for requests that create a user via a request to "members/memberentry.pl" or give a user superlibrarian permission via a request to "members/member-flags.pl". Additionally, it allows the hijacking of the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the addshelf parameter to "opac-shelves.pl".

Recommendations For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.18.x through 3.18.07, update to version 3.18.08 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.