Dimitris Simos

**Name of the Vulnerable Software and Affected Versions** Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.18.x through 3.18.07 Koha versions 3.20.x through 3.20.0 **Description** The issue allows remote attackers to hijack the authentication of administrators for requests that create a user via a request to "members/memberentry.pl" or give a user superlibrarian permission via a request to "members/member-flags.pl". Additionally, it allows the hijacking of the authentication of arbitrary users for requests that conduct cross-site scripting (XSS) attacks via the `addshelf` parameter to "opac-shelves.pl". **Recommendations** For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.18.x through 3.18.07, update to version 3.18.08 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.18.x through 3.18.07 Koha versions 3.20.x through 3.20.0 **Description** The issue allows remote attackers to inject arbitrary web script or HTML via various parameters, including `tag` to "opac-search.pl", `value` to "authorities/authorities-home.pl", `delay` to "acqui/lateorders.pl", `authtypecode` or `tagfield` to "admin/auth subfields structure.pl", `tagfield` to "admin/marc subfields structure.pl", `limit` to "catalogue/search.pl", and multiple parameters to "serials/serials-search.pl" and "suggestion/suggestion.pl". **Recommendations** For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.18.x through 3.18.07, update to version 3.18.08 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.18.x through 3.18.07 Koha versions 3.20.x through 3.20.0 **Description** The issue allows remote attackers to read arbitrary files via a ..%2f (dot dot encoded slash) in the `template path` parameter to "svc/virtualshelves/search" or "svc/members/search" API endpoints. **Recommendations** For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.18.x through 3.18.07, update to version 3.18.08 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.18.x through 3.18.07 Koha versions 3.20.x through 3.20.0 **Description** The issue allows remote attackers to execute arbitrary SQL commands via the `number` parameter to "opac-tags subject.pl" in the OPAC interface. Additionally, remote authenticated users can execute arbitrary SQL commands via the `Filter` or `Criteria` parameter to "reports/borrowers out.pl" in the Staff interface. **Recommendations** For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.18.x through 3.18.07, update to version 3.18.08 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions 3.14.x through 3.14.15 Koha versions 3.16.x through 3.16.11 Koha versions 3.20.x through 3.20.0 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via a crafted list name. This is a type of security issue where an attacker can inject malicious code into a website, potentially allowing them to steal user data or take control of the user's session. **Recommendations** For Koha versions 3.14.x through 3.14.15, update to version 3.14.16 or later. For Koha versions 3.16.x through 3.16.11, update to version 3.16.12 or later. For Koha versions 3.20.x through 3.20.0, update to version 3.20.1 or later.