CVE-2018-1000670

Name of the Vulnerable Software and Affected Versions KOHA Library System versions 16.11.x through 16.11.13 KOHA Library System versions 17.05.x through 17.05.05

Description The issue allows for Cross Site Scripting (XSS) in multiple fields on various pages, including API endpoints such as "/cgi-bin/koha/acqui/supplier.pl?op=enter", "/cgi-bin/koha/circ/circulation.pl?borrowernumber=[borrowernumber]", and "/cgi-bin/koha/serials/subscription-add.pl". This can result in privilege escalation by taking control of higher-privileged users' browser sessions. The attack is exploitable if victims are socially engineered to visit a vulnerable webpage containing a malicious payload.

Recommendations For KOHA Library System versions 16.11.x through 16.11.13, update to version 17.11 or later. For KOHA Library System versions 17.05.x through 17.05.05, update to version 17.11 or later. As a temporary workaround, consider restricting access to the vulnerable API endpoints until a patch is available. Avoid using the borrowernumber parameter in the affected API endpoint until the issue is resolved.