CVE-2023-44962

Name of the Vulnerable Software and Affected Versions Koha Library Software versions 23.05.04 and before

Description The issue is related to a lack of filtering of the client-supplied path in the upload-cover-image.pl component. This can allow a remote attacker to read arbitrary files. The vulnerability can be exploited by uploading archive files containing symbolic links, potentially leaking some of the content of the linked files.

Recommendations For Koha Library Software versions 23.05.04 and before, consider disabling the upload-cover-image.pl component until a patch is available to prevent exploitation. Restrict access to the upload-cover-image.pl component to minimize the risk of arbitrary file reading. At the moment, there is no information about a newer version that contains a fix for this vulnerability.