CVE-2024-24336

Name of the Vulnerable Software and Affected Versions Koha Library Management System versions 23.05.05 and earlier

Description A multiple Cross-site scripting (XSS) vulnerability in the "/members/moremember.pl" and "/members/members-home.pl" endpoints allows malicious staff users to carry out CSRF attacks, including unauthorized changes to usernames and passwords of users visiting the affected page, via the Circulation note and Patrons Restriction components.

Recommendations For Koha Library Management System versions 23.05.05 and earlier, update to a version later than 23.05.05 to resolve the issue. As a temporary workaround, consider restricting access to the "/members/moremember.pl" and "/members/members-home.pl" endpoints until a patch is available. Avoid using the Circulation note and Patrons Restriction components in the affected endpoints until the issue is resolved.