Galen Charlton

**Name of the Vulnerable Software and Affected Versions** Koha versions prior to 3.8.23 Koha versions 3.10.x prior to 3.10.13 Koha versions 3.12.x prior to 3.12.10 Koha versions 3.14.x prior to 3.14.3 **Description** The issue allows remote attackers to read arbitrary files via unspecified vectors due to an absolute path traversal vulnerability in the tools/pdfViewer.pl script. **Recommendations** For Koha versions prior to 3.8.23, update to version 3.8.23 or later. For Koha versions 3.10.x prior to 3.10.13, update to version 3.10.13 or later. For Koha versions 3.12.x prior to 3.12.10, update to version 3.12.10 or later. For Koha versions 3.14.x prior to 3.14.3, update to version 3.14.3 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions prior to 3.8.23 Koha versions 3.10.x prior to 3.10.13 Koha versions 3.12.x prior to 3.12.10 Koha versions 3.14.x prior to 3.14.3 **Description** The issue allows remote attackers to write to arbitrary files via unspecified vectors due to multiple directory traversal vulnerabilities in the staff interface help editor (edithelp.pl) or member-picupload.pl. **Recommendations** For Koha versions prior to 3.8.23, update to version 3.8.23 or later. For Koha versions 3.10.x prior to 3.10.13, update to version 3.10.13 or later. For Koha versions 3.12.x prior to 3.12.10, update to version 3.12.10 or later. For Koha versions 3.14.x prior to 3.14.3, update to version 3.14.3 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions prior to 3.8.23 Koha versions 3.10.x prior to 3.10.13 Koha versions 3.12.x prior to 3.12.10 Koha versions 3.14.x prior to 3.14.3 **Description** The issue concerns the MARC framework import/export function, specifically the `admin/import export framework.pl` script, which does not require authentication. This lack of authentication allows remote attackers to conduct SQL injection attacks. **Recommendations** For Koha versions prior to 3.8.23, update to version 3.8.23 or later. For Koha versions 3.10.x prior to 3.10.13, update to version 3.10.13 or later. For Koha versions 3.12.x prior to 3.12.10, update to version 3.12.10 or later. For Koha versions 3.14.x prior to 3.14.3, update to version 3.14.3 or later.

**Name of the Vulnerable Software and Affected Versions** Koha versions prior to 3.8.23 Koha versions 3.10.x prior to 3.10.13 Koha versions 3.12.x prior to 3.12.10 Koha versions 3.14.x prior to 3.14.3 **Description** The issue allows remote authenticated users to execute arbitrary SQL commands. This can be leveraged by remote attackers. **Recommendations** For Koha versions prior to 3.8.23, update to version 3.8.23 or later. For Koha versions 3.10.x prior to 3.10.13, update to version 3.10.13 or later. For Koha versions 3.12.x prior to 3.12.10, update to version 3.12.10 or later. For Koha versions 3.14.x prior to 3.14.3, update to version 3.14.3 or later.