Jiaky Ooi

**Name of the Vulnerable Software and Affected Versions** KOHA Library System versions 16.11.x through 16.11.13 KOHA Library System versions 17.05.x through 17.05.05 **Description** The issue allows attackers to mark payments as paid for certain users on behalf of administrators due to a Cross Site Request Forgery (CSRF) vulnerability in the /cgi-bin/koha/members/paycollect.pl API endpoint. The parameters affected are `borrowernumber`, `amount`, `amountoutstanding`, and `paid`. This attack is exploitable via social engineering, where the victim is tricked into clicking a link, usually via email. **Recommendations** For KOHA Library System versions 16.11.x through 16.11.13, update to version 17.11 or later. For KOHA Library System versions 17.05.x through 17.05.05, update to version 17.11 or later. As a temporary workaround, consider restricting access to the /cgi-bin/koha/members/paycollect.pl API endpoint to minimize the risk of exploitation. Avoid using the parameters `borrowernumber`, `amount`, `amountoutstanding`, and `paid` in the affected API endpoint until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** KOHA Library System versions 16.11.x through 16.11.13 KOHA Library System versions 17.05.x through 17.05.05 **Description** The issue allows for Cross Site Scripting (XSS) in multiple fields on various pages, including API endpoints such as "/cgi-bin/koha/acqui/supplier.pl?op=enter", "/cgi-bin/koha/circ/circulation.pl?borrowernumber=[`borrowernumber`]", and "/cgi-bin/koha/serials/subscription-add.pl". This can result in privilege escalation by taking control of higher-privileged users' browser sessions. The attack is exploitable if victims are socially engineered to visit a vulnerable webpage containing a malicious payload. **Recommendations** For KOHA Library System versions 16.11.x through 16.11.13, update to version 17.11 or later. For KOHA Library System versions 17.05.x through 17.05.05, update to version 17.11 or later. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the `borrowernumber` parameter in the affected API endpoint until the issue is resolved.